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Preface 


Imagination is more important than knowledge. Knowledge is limited. Imagination encircles 
the world. 


ALBERT EINSTEIN (1879-1955) 
The 1921 Nobel Laureate in Physics 


Quantum computational number theory is a new interdisciplinary subject of number 
theory, computation theory, and quantum computing together. The aim of quantum 
computational number theory is to use the new quantum computing techniques 
to solve the intractable computational problems in number theory and number- 
theoretic cryptography. Indeed, the most famous quantum algorithm, namely, Shor’s 
quantum factoring algorithm, is for solving the integer factorization problem and for 
breaking the RSA cryptographic system. 

The book consists of six chapters. In Chapter 1, we try to answer briefly what is 
computational number theory and what is quantum computational number theory. 
Chapter 2 presents some basic concepts and results in classical and quantum 
computation. Chapter 3 gives an account of classical and quantum algorithms for 
the integer factorization problem (IFP). Chapter 4 discusses classical and quantum 
algorithms for the discrete logarithm problems (DLP), whereas Chapter 5 deals with 
classical and quantum algorithms for elliptic curve discrete logarithm problems 
(ECDLP). Since all classical algorithms are not powerful enough to solve IFP, DLP, 
and ECDLP in polynomial-time, all IFP-, DLP-, and ECDLP-based cryptographic 
system is secure, provided that they are constructed and used properly. However, if a 
practical quantum computer can be built, then the quantum algorithms discussed can 
be used to break all the IFP-, DLP-, and ECDLP-based cryptographic systems. Of 
course, we cannot expect quantum algorithms or more generally quantum computers 
to break all the cryptographic systems, since quantum computers use a different 
paradigm for computation, and they are not faster version of classical computers; 
for some computational problems such as IFP and DLP, they can exponentially 
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(more specifically superpolynomially) speed up the computation, but for other 
problems such as any \VP-complete problem, e.g., the traveling salesman problem 
(TSP), they will not be able to speed up the computation at all. Thus, there 
exist cryptographic systems that quantum computers cannot break; these types of 
cryptographic systems are called quantum-resistant cryptographic systems. Finally, 
in Chapter 6, we shall discuss some more quantum algorithms for other number- 
theoretic and algebraic problems. 

The monograph can be regarded as a new version of the author’s earlier book 
Quantum Attacks on Public-Key Cryptosystems, with an emphasis on quantum 
attacking for both the IFP, DLP, and ECDLP problems and the IFP-, DLP-, and 
ECDLP-based cryptography. It is self-contained and can be used as a basic reference 
for computer scientists, mathematicians, electrical engineers, and physicists, inter- 
ested in quantum computational number theory. It can also be used as an advanced 
text for final year undergraduates or first-year graduates in the field. 
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Chapter 1 
Introduction 


God used beautiful mathematics in creating the world. 


PAUL DIRAC (1902-1984) 
The 1933 Nobel Laureate in Physics 


Number theory is one of the oldest subjects in mathematics. Traditionally, number 
theory is the purest of the pure mathematical discipline. But with the advent of 
modern computers, it becomes more and more computation involved, giving to the 
birth of computational number theory, and even the quantum computational number 
theory, just as analytic number theory and algebraic number theory, where analysis 
and algebra play an important role. This chapter provides an introduction to the 
basic ideas and concepts, as well as some important open problems in number theory 
and computational number theory and quantum computational number theory. More 
specifically, we shall give a descriptive answer to the following three questions: 


1. What is number theory? 
2. What is computational number theory? 
3. What is quantum computational number theory? 


1.1. What is Number Theory 


Number theory, or the theory of numbers, is concerned mainly with the study of the 
properties of the integers 


Z = {++ ,-3,-2,-1,0,1,2,3,-++}, 
particularly the positive integers 


Zt = {1,2,3,-++}. 
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For example, by the divisibility property, all positive integers may be classified into 
three categories: 


1. Unit: 1. 
2. Prime numbers: 2, 3,5, 7,11, 13,17, 19, 23,---. 
3. Composite numbers: 4, 6, 8, 9, 10, 12, 14, 15, 16, 18, 20, 21, 22,---. 


Recall that a positive integer n > 1 is called a prime number, if its only divisors are 1 
and n, otherwise, it is a composite number. | is neither prime number nor composite 
number. Prime numbers play a central role in number theory, as any positive integer 
n > | can be written uniquely into the following standard prime factorization form: 


— 7% 2 Ol k 
n=p, Po Dy . 


where p; < po <-++ < px are primes and a), @2,--- , % positive integers. Although 
prime numbers have been studied for more than 2000 years, there are still many 
open problems about the distribution of prime numbers. Let us investigate some of 
the most interesting problems about prime numbers. 


1. The distribution of prime numbers. 
Euclid proved 2000 years ago in his Elements that there were infinitely many 
prime numbers. That is, the sequence of prime numbers 


2,3,5,7, 11, 13,17, 19,--- 


is endless. For example, 2,3,5 are the first three prime numbers, whereas 
2°7885161 _ ] is the largest prime number, as of August 2015, it has 17425170 
digits, it was discovered on 25 January 2013. Let (x) denote the number of 
prime numbers up to x (Table 1.1 gives some values of m(x) for some large x), 
then Euclid’s theorem of infinitude of primes actually says that 


W(x) > ©, ax ww, 


A much better result about the distribution of prime numbers is the Prime 
Number Theorem, stating that 


(x) ~ x/ log x. 
In other words, 


W(x) 


X—>00 x/ log x 
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Table 1.1 (x) for some large x 


x (x) w(x) — x/log x 

10 4 —0.3 
10? 25 3.3 
103 168 23 
104 1229 143 
10° 9592 906 
10° 78498 6116 
10’ 664579 44158 
108 5761455 332774 
10° 50847534 2592592 
10!° 455052511 20758029 
10!! 4118054813 169923159 
10! 37607912018 1416705193 
103 346065536839 11992858452 
10!4 3204941750802 102838308636 
10! 29844570422669 891604962452 
10!6 279238341033925 7804289844393 
10!7 2623557157654233 6888373469328 1 
10'8 24739954287740860 612483070893536 
10!° 234057667276344607 548 1624169369960 
107 22208 196025609 18840 49347193044659701 
107 21127269486018731928 44657987 1578168707 
107” 2014672866893 15906290 4060704006019620994 
103 192532039 1606803968923 370835 1376657863 1309 
1074 18435599767349200867866 3399963547 13708049069 
10% | 176846309399143769411680 | 3128516637843038351228 
1076 | 1699246750872437141327603 | 28883358936853188823261 


Note that the log is the natural logarithm log, (normally denoted by In), where 


e = 2.7182818---. However, if the Riemann hypothesis [8] is true, then there is 
a refinement of the Prime Number Theorem 
n(x) = [< — e) Geen) 
logt 
to the effect that 
ma) = fo 56] (Vx log x). 
logt 


Of course we do not know if the Riemann hypothesis is true. Whether or not 
the Riemann hypothesis is true is one of the most important open problems 
in mathematics, and in fact it is one of the seven Millennium Prize Problems 
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proposed by the Clay Mathematics Institute in Boston in 2000, each with one 
million US dollars (see [8, 9, 17, 58]). The Riemann hypothesis states that all the 
nontrivial (complex) zeros p of the ¢ function 


t= s=o+it, fo,t}€R i= vV-1 


n=1 


1 
lying in the critical strip 0 < Re(s) < 1 must lie on the critical line Re(s) = t 


1 
that is, o = = + it, where p denotes a nontrivial zero of ¢(s). Riemann calculated 


the first five non-trivial zeros of ¢(s) and found that they all lie on the critical line 
(see Figure 1.1), he then conjectured that all the non-trivial zeros of €(s) are on 
the critical line. 


ity 66-5 1/2 + (3003...) 
393) = 1/2 + (80-42...) 
C(1/2 + itn) =0 
as 1/2 + (25.01...)i 
soi) =} 1/2 + (21.02...) 
o=— | — 124+ 04.13...) 
10if 
—4 2 0 Tj2 1 ~ 
¢(-2n) =0,n>1 
= 
6 «| __ 1/2 — (14.13...) 
el eel ee ee ae 
i 1/2 — (25.01...) 
808 |) cbs 1/2 — (30.42...) 
6 =| 1/2 — (32.93...) 


Figure 1.1 Riemann’s hypothesis 
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Table 1.2 Twenty large twin prime pairs 


Rank | Twin primes Digits | Time 

1 3756801695685 - 2°66 + ] 200700 | Dec 2011 
2 65516468355 - 2353333 + 1 100355 | Aug 2009 
3 4884940623 - 2198800 + 1 59855 | July 2015 
4 2003663613 - 2195000 + ] 58711 | Jan 2007 
5 38529154785 - 2173250 + | 52165 | July 2014 
6 194772106074315 - 2'7!9 + 1 | 51780 | Jun 2007 
7 100314512544015 - 21719 + 1 | 51780 | Jun 2006 
8 16869987339975 - 2171960 + ] 51779 | Sep 2005 
9 33218925 - 2169690 + | 51090 | Sep 2002 
10 22835841624 - 7°43?! + J 45917 | Nov 2010 
11 1679081223 - 2151618 + 4 45651 | Feb 2012 
12 9606632571 - 2!°!515 + 1 45621 | Jul 2014 
13 84966861 - 2!40719 + 1 42219 | Apr 2012 
14 12378188145 - 2140002 + | 42155 | Dec 2010 
15 23272426305 - 2140001 + 1 42155 | Dec 2010 
16 8151728061 - 2!25987 + J 37936 | May 2010 
17 598899 - 2118987 + | 35825 | Apr 2010 
18 307259241 - 2115999 + ] 34808 | Jan 2009 
19 60194061 - 2114689 + | 34533 | Nov 2002 
20 5558745 - 1099334 + 1 33341 | Apr 2011 


2. The distribution of twin prime numbers. 
Twin prime numbers are of the form n + 1, where both numbers are prime. 
For example, (3,5), (5,7), (11, 13) are the first three smallest twin prime pairs, 
whereas the largest twin primes so far are 65516468355 - 277333 + 1, discovered 
in August 2009, both numbers having 100355 digits. Table 1.2 gives 20 large 
twin prime pairs. Let 772(x) be the number of twin primes up to x (Table 1.3 gives 
some values of 72(x) for different x), then the twin prime conjecture states that 


Il2(x) > oo, asx—> oo. 
If the probability of a random integer x and the integer x + 2 being prime were 


statistically independent, then it would follow from the Prime Number Theorem 
that 


Xx 
72(x) ~ (logx)?’ 


or more precisely, 


XxX 
sas (EE, 
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with 
c= 21] (: = —z) 
oe (p — 1) 


As these probabilities are not independent, so Hardy and Littlewood conjectured 
that 


_ P(p—2) [* dt 
ne 2\T (1? Jy Cogs? 


~ 1320323632 a 

2 (log 1)? 
The infinite product in the above formula is the twin prime constant; this 
constant was estimated to be approximately 0.66016181584686957392---, so 
2c & 1.3203236316937391478. The conjectured values of (x) for various x 
is also given in Table 1.3 (see the information in the right most column of the 
table). Using very complicated arguments based on sieve methods in his work 
on the Goldbach conjecture, the Chinese mathematician Chen [10] showed that 
there are infinitely many pairs of integers (n,n + 2), with n prime andn + 2a 
product of at most two primes. More recently, Zhang [62] showed that 


lim inf(P,4.; —P,) <N, with N <7- 10’, 
n—->oo 


Table 1.3 z2(x) for some values x 


Actual values for 72(x) | Conjectured values for 72 (x) 
2 4 
8 13 
34 45 
205 214 
1224 1248 
8169 8248 
58980 58753 
440312 440367 
3424506 3425308 
27412679 27411416 
224376048 224368864 
1870585220 1870559866 
15834664872 15834598305 
135780321665 135780264894 
1177209242304 1177208491860 
10304195697298 10304192554495 
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where P,, is the nth prime, which is a major improvement on the Goldston- 
Graham-Pintz- Yildrim result [27]: 


Notice that the value of N in Zhang’s result has been reduced to 246, by a 
group of people in the Polymath Project. A similar and equivalent problem to 
the twin prime number conjecture is the Goldbach conjecture, which states that 
every even number greater than 4 is the sum of two odd prime numbers. It was 
conjectured by Goldbach in a letter to Euler in 1742. It remains unsolved to this 
day. The best result for this conjecture is the due to Chen, who announced it in 
1966 but the full proof was not given until 1973 [10], due to the chaotic Culture 
Revolution, that every sufficiently large even number is the sum of one prime 
number and the product of at most two prime numbers, i.e., E = py + pops, 
where EF is a sufficiently large even number and pj, p2, p3 are prime numbers. As 
a consequence, there are infinitely many such twin numbers (p,, p; + 2 = p2p3). 
Extensions relating to the twin prime numbers have also been considered. For 
example, are there infinitely many triplet primes (p,g,r) with q = p+ 2 and 
r = p+6? The first five triplets of this form are as follows: (5, 7, 11), (11, 13, 17), 
(17, 19, 23), (41, 43, 47), (101, 103, 107). The triplet prime problem is much 
harder than the twin prime problem. It is amusing to notice that there is only 
one triplet primes (p, q,r) withg = p+2 andr =p + 4. That is, (3,5, 7). The 
Riemann hypothesis, the twin prime problem and the Goldbach conjecture form 
the famous Hilbert’s 8th Problem. 


. The distribution of arithmetic progressions of prime numbers. 


An arithmetic progression of prime numbers is defined to be the sequence of 
primes satisfying: 


p,pt+d,p+t 2d,-++,p+(k—1)d, 


where p is the first term, d the common difference, and p + (k — 1)d the last term 
of the sequence. For example, the following are some sequences of the arithmetic 
progression of primes: 


35° 7, 
5 11 17 23, 
5 11 17 23 29, 


The longest arithmetic progression of primes is the following sequence with 
23 terms: 56211383760397 + k - 44546738095860 with k = 0,1,--: ,22. 
Thanks to Green and Tao [29] who proved in 2007 that there are arbitrary 
long arithmetic progressions of primes (i.e., k can be any arbitrary large natural 
number), which enabled, among others, Tao to receive a Field Prize in 2006, 
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an equivalent Nobel Prize for Mathematics. However, their result is not about 
consecutive primes; we still do not know if there are arbitrary long arithmetic 
progressions of consecutive primes, although Chowa proved in 1944 that there 
exists an infinity of three consecutive primes of arithmetic progressions. Note 
that an arithmetic progression of consecutive primes is a sequence of consecutive 
primes in the progression. In 1967, Jones, Lal and Blundon found an arithmetic 
progression of five consecutive primes 10!° + 24493 + 30k with k = 0,1,2,3,4. 
In the same year, Lander and Parkin discovered six in an arithmetic progression 
121174811 + 30k with k = 0, 1,2,3, 4,5. The longest arithmetic progression of 
consecutive primes, discovered by Manfred Toplic in 1998, is 


507618446770482 - 193# + x77 + 210k, 
where 


193# is the product of all primes < 193, 

x77 is the following 77 digit number 
54538241683887582668 1897035901 1065905786593476460487384 
0781923513421103495579, 

k=0,1,2,--- ,9. 


It should be noted that problems in number theory are easy to state because they are 
mainly concerned with integers which we are very familiar, but often very hard to 
solve! 


Problems for Section 1.1 


ee 


. Show that there are infinitely many prime numbers. 

. Prove or disprove that there are infinitely many twin prime numbers. 

. Are there infinitely many triple prime numbers of the form p, p+2,p+4, where 
P,p+2,p+4 are all prime numbers? For example, 3,5, 7 are such triple prime 
numbers. 

. Are there infinitely many triple prime numbers of the form p, p+ 2, p+6, where 
P,p+2,p+6 are all prime numbers? For example, 5, 7, 11 are such triple prime 
numbers. 

. (Prime Number Theorem) Show that 


(x) 


x00 x/logx 
. (Twin Prime Number Conjecture) Show that 


pes eae 
x00 x/(log x)? 


10. 


11. 


12. 


13. 


14. 
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. (Hardy-Littlewood’s Conjecture of Twin Prime Numbers) Show that 


pip—2) f* at 
2I1Gay b, Tose? 


7 (x) 
p>3 


* dt 
1.320323632 ——. 
i (log t)? 


2 


. The Riemann ¢-function is defined as follows: 


where s = o + it is a complex number. Riemann conjectured that all zeroes 


of the £(s) in the critical strip 0 < o < 1 must lie on the critical line o = }. 


2 
That is, 
1 
C (5 + i) =0. 


Prove or disprove the Riemann hypothesis. 


. Andrew Beal in 1993 conjectured that the equation x“ + y’ = 2° has no positive 


integer solutions in x, y, z, a,b,c, where a, b,c > 3 and ged(x, y) = gced(y, z) = 
gcd(x,z) = 1. Beal has offered $100,000 for a proof or a disproof of this 
conjecture. 

Prove or disprove the Goldbach conjecture that any even number greater than 6 
is the sum of two odd prime numbers. 

A positive integer n is perfect if a(n) = 2n, where o (n) is the sum of all divisors 
of n. For example, 6 is perfect since 0(6) = 1+2+3+6=2-6= 12. Show 
that n is perfect if and only if n = 2?—'(2? — 1), where 2? — 1 is a Mersenne 
prime. 

All known perfect numbers are even perfect. Recent research shows that if there 
exists an odd perfect number, it must be greater than 10°°° and must have at least 
29 prime factors (not necessarily distinct). Prove or disprove that there exists at 
least one odd perfect number. 

Show that there are arbitrary long arithmetic progressions of primes numbers 


D.pt+d,pt2d,:-- ,pt+(k—1)d, 


where p is the first term, d the common difference and p+ (k—1)d the last term 
of the sequence, furthermore, all the terms in the sequence are prime numbers 
and k can be any arbitrary large positive integer. 

Prove or disprove that there are arbitrary long arithmetic progressions of 
consecutive prime numbers. 
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1.2. What is Computational Number Theory 


Computational number theory, as its name suggested, may be regarded as a 
combined subject of number theory and computation theory. That is, 


Computational Number Theory := Number Theory 6 Computation Theory. 


Basically, any topic in number theory where computation plays a central 
role can be regarded as a topic in computational number theory. Computational 
number theory aims at either using computing techniques to solve number-theoretic 
problems, or using number theoretic techniques to solve computer science problems. 
We concentrate in this book on using computing techniques to solve number 
theoretic problems that have connections and applications in modern public-key 
cryptography. Typical questions or problems in this category of computational 
number theory include: 


1. Primality Testing Problem (PTP). PTP can be formally defined as follows: 


Input : n>, 


PTP = Yes : n © Primes, 


Output : 
No: Otherwise. 


Theoretically speaking, PTP can be solved in polynomial-time, i.e., PTP can be 
solved efficiently on a computer. However, it may still be difficult to decide 
whether or not a large number is prime. Call a number a Mersenne prime if it 
is of the form 


M, = 2-1, 


where p is prime and 2? — | is also prime. Up to date, only 47 such p have 
been found (see Table 1.4); the first four were found 2500 years ago. Note that 
243112609 _ 1 is not only the largest known Mersenne prime, but also the largest 
known prime in the world to date. The search for the largest Mersenne prime 
and/or the largest prime has always been a hot topic in computational number 
theory. EFF (Electronic Frontier Foundation) has offered in total 550,000 US 
dollars to the first individual or organization who find the following large primes: 


Prizes Conditions for the new primes 
$50,000 | at least 1000000 digits 
$100,000 at least 10000000 digits 
$150,000 at least 100000000 digits 
$250,000 at least 1000000000 digits 
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Table 1.4 The 47 known Mersenne primes M, = 2? — 1 


No |p Digits (M,) | Time | No | p Digits (M,) 
1 2 1 - 2 3 1 
3 5 2 |- 4 7 3 
5 13 4 1461 17 6 
7 19 6 1588 | 8 31 10 
9 61 19 1883 | 10 89 27 
11 107 33 1913 | 12 127 39 
13 521 157 1952 | 14 607 183 
15 1279 386 1952 | 16 2203 664 
17 2281 687 1952 | 18 3217 969 
19 4253 1281 1961 | 20 4423 1332 
21 9689 2917 1963 | 22 9941 2993 
23 11213 3376 1963 | 24 19937 6002 
25 21701 6533 1978 | 26 23209 6987 
27 44497 13395 1979 | 28 86243 25962 


29 110503 33265 | 1988 | 30 132049 39751 
31 216091 65050 =| 1985 | 32 756839 227832 
33 859433 258716 | 1994 | 34 1257787 378632 
35 1398269 420921 1996 | 36 | 2976221 895932 
37 | 3021377 909526 | 1998 | 38 | 6972593 | 2098960 
39 | 13466917 | 4053946 | 2001 | 40 | 20996011 | 6320430 
41 | 24036583 | 7235733 | 2004 |42 | 25964951 | 7816230 
43 | 30402457 | 9152052 | 2005 | 44 | 32582657 | 9808358 
45 | 37156667 | 11185272 | 2008 | 46 | 42643801 | 12837064 
47 | 43112609 | 12978189 | 2008 | 48 |? ? ? 


The first prize was claimed by Nayan Hajratwala in Michigan in 1996, who found 
the 38th Mersenne prime 2°”? — 1 with 2098960 digits, the second prize was 
claimed by Edson Smith at UCLA in 2008, who found the 46th Mersenne prime 
242643801 _ 1 with 12837064 digits. The remaining two prizes remain unclaimed. 
Of course, we still do not know if there are infinitely many Mersenne primes. 

2. Integer Factorization Problem (IFP). IFP can be formally defined as follows: 


gep \ Input: n> 1, 
IFP = 
Output: a|n, l1<a<n. 


The IFP assumption is that given the positive integer n > 1, it is hard to find its 
non-trivial factor(s), i.e., 


{n = ab} 5 fa, l<a<n}. 


Note that in IFP, we aim at finding just one non-trivial factor a (not necessarily 
prime factor) of n. The Fundamental Theorem of Arithmetic asserts that any 
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123457913315 
187 660202745 
11 17 5 132040549 


Figure 1.2 Prime factorization of 123457913315 


positive integer n > 1 can be uniquely written into the following standard prime 
factorization form: 


— 7% %2 Olk 
n=p, Po “Dy ‘< 


where py < po < -:+ < px are primes and a), @,--: ,@, positive integers. 
Clearly, recursively performing the operations of primality testing and integer 
factorization, n can be eventually written in its standard prime factorization form, 
say, if we wish to factor 123457913315, the recursive process can be shown in 
Figure 1.2. So, if we define the Prime Factorization Problem (PFP) as follows: 


Input: n> 1, 
Output : pt!.p5?.--+ py. 


then 


PFP © PTP @ IFP. 


Although PTP can be solved efficiently in polynomial-time, IFP cannot be solved 
in polynomial-time. Finding polynomial-time factoring algorithm is one of the 
most important research topics in computational number theory. At present, no 
polynomial-time algorithm for factoring has been found and no-one yet has 
proved that no such an algorithm exists. The current world record for integer 
factorization is the RSA-768 (a number with 768 bits and 232 digits): 


12301866845301 17755 13049495838496272077285356959533479219732245 
21517264005072636575 18745202199786469389956474942774063845925 19 
255732630345373 15482685079 170261221429134616704292 1431160222124 
047927473779408066535 14.19597459856902 143413 


3347807 1698956898786044 1698482 126908 177047949837 137685689 124313 
889828837938780022876 1471165253 17430877378 14467999489 

x 

3674604366679959042824463379962795263227 9158164343087642676032 
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2838157396665 11279 2333734171433968 10270092798736308917. 


It was factored on 9 Dec 2009 [35]. The factoring process requires about 107° 
operations and would need about 2000 years of computation on a single core 
2.2 GHz AMD Opteron. 

3. Discrete Logarithm Problem (DLP). According to historical records, loga- 
rithms over the set of real numbers R were first invented in the sixteenth century 
by the Scottish mathematician John Napier (1550-1617). We define k to be the 
logarithm to the base x of y 


k = log, y, 
if and only if 
ay 
So the Logarithm Problem (LP) over R may be defined as follows: 


p wf Input: x,y, 


Output : k such that y = x*. 


For example, log; 19683 = 9, since 3? = 19683. LP over R is easy to solve, 
since 


Iny 


log, y= fax’ 


where the natural logarithms can be calculated efficiently by the following 
formula (of course, depending on the accuracy): 


= = _ piel 
aaa ree 


For example, 


InS _ 1.609437912 


~ & 2.321928095. 
In2  0.692147106 ? ee 


log, 5 = 
We can always get a result at certain level of accuracy. The Discrete Logarithm 
Problem over the multiplicative group Z*, discussed in this book, is completely 
different from the traditional one we just mentioned. Let 


Zp = {a:1<a<n, a€Zys0, ged(a,n) = 1}. 


DLP may be defined as follows: 
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Input: x,n,y, 
DLP = 
Output : k such that y = x* (mod n). 


The DLP assumption is that 


hard 
{x,n,y = x* (mod n)} — {k}. 
The following are some small and simple examples of DLP: 


log, 57 = k (mod 1009) => k does not exist; 
log,, 57 = k (mod 1009) => k = 375; 
log, 20 = k (mod 1009) => k = {165, 333, 501, 669, 837, 1005}. 


As can be seen, in the first example, the required discrete logarithm does not 
exist, whereas in the last example, the required discrete logarithms are not 
unique. In what follows, we give a little bit large example of DLP: Let 


p= (739-7!49 — 736)/3, 

J = 127402180119973946824269244334322849749382042586931621654 
55773529032291467909599868 186097881 3046595 166455458144280 
588076766033781 (mod p), 


7’ = 180162285287453102444782834836799895015967046695346697313 
025121734059953772058475958176910625380692101651848662362 
137934026803049 (mod p). 


Find 7“. To compute 7”, we need either to find a from 7“ mod p or b from 
7° mod p, so that we can calculate 7” = (7%)? = (7°)*. This problem was 
proposed by McCurley in 1990 [40] and solved by Weber in 1998 [55]. 


. Elliptic Curve Discrete Logarithm Problem (ECDLP). Elliptic Curve Discrete 


Logarithm Problem (ECDLP) is a very natural generalization of the Discrete 
Logarithm Problem (DLP) from multiplication group Z* to the elliptic curve 
groups E(Q), E(Z,) or E(F,). Let E be an elliptic curve 


E:y=x+ax+b 


over a field K, denoted by E\K. A straight line (non-vertical) L connecting points 
P and Q intersects the elliptic curve E at a third point R, and the point P 6 Q 
is the reflection of R in the X-axis. That is, if R = (x3, y3), then P@ Q = 
(x3, —y3) is the reflection of R in the X-axis. Note that a vertical line, such as 
L' or L”, meets the curve at two points (not necessarily distinct), and also at the 
point at infinity Og (we may think of the point at infinity as lying far off in the 
direction of the Y-axis). The line at infinity meets the curve at the point Og three 
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times. Of course, the non-vertical line meets the curve in three points in the XY 
plane. Thus, every line meets the curve in three points. The algebraic formula for 
computing P3(x3, y3) = P(x, y1) + P2(%2, y2) on E is as follows: 


(x3, y3) = (A? — x1 — 2, Ar — 23) — 1), 


where 
3x7 + 
Se PSP, 
qe 2y1 
nate otherwise. 
X2 —X|{ 


Given E and P ¢€ E, it is easy to find Q = kP, which is of course also in E. For 
example, to compute Q = 105P, we first let 


k = 105 = (1101001)p, 


then perform the operations as follows: 


>: Q<P+20 > Q<P > Q=P 
>:Q<—P+20 > OQ<P+2P > Q0=3P 

Q< 20 => Q<2(P+2P) => Q=6P 
>Q<P+20 > Q< P+2(QQ(P + 2P)) => Q=13P 
Q< 20 => O< 2(P+4+2(2(P + 2P))) => Q=26P 
Q< 20 => O< 2(2(P + 2(2(P + 2P)))) => Q=52P 
>Q<—P+20 > Q< P+2(2(2(P4+ 2(2(P + 2P))))) > Q = 105P. 
This gives the required result Q = P + 2(2(2(P + 2(2(P + 2P))))) = 105P. 
As can be seen, given (E\K, k, P) it is easy to compute 


lo a 


Q = kP. 
However, it is hard to find k given (E\K, P, Q). This is the Elliptic Curve Discrete 


Logarithm Problem (ECDLP), which may be formally defined as follows (let E 
be an elliptic curve over finite field F,,): 


aep ( Input: £\F,, (P,Q) € E(F,), 
ECDLP = 
Output : k > 1 such that Q = kP (mod p). 


The ECDLP assumption asserts that 


{(P,Q = kP (mod p)) € E(F,)} “> {Kk}. 


1 Introduction 


Suppose that we are given 
(190, 271) = k(1, 237) (mod 1009), 
with 
E: y =x +71x + 602 (mod 1009), 
then it is easy to find 
k= 419, 
since the finite field F’, is small. However, when the finite field is large, such as 


Q(x9, yo) = kP(xp, yp) (mod p) 


on E\F,,, where 


Pp = 1550031797834347859248576414813139942411, 
a = 13992675737635788 1587790523597 1153316710, 
b = 10092965421915324640762603675258 16293976, 
Xp = 1317953763239595888465524145589872695690, 
yp = 43482934861 903127846065630348 1105428081, 
Xg = 1247392211317907151303247721489640699240, 
yo = 207534858442090452193999571026315995117. 


In this case, it is very hard to find the k. Certicom Canada offered 20,000 US 
dollars to the first individual or organization who first got the correct value of the 
k. More Certicom prize problems along with this line may be found in Table 1.5 
(the above mentioned $20,000 prize curve corresponds to ECCp-131, as p has 
131 bits in this example). 


Table 1.5 Some certicom ECDLP challenge problems 


Curves Bits | Operations | Prizes (US dollars) | Status 
ECCp-97 | 97 |3.0-10'4 | $5,000 1998 
ECCp-109 | 109 | 2.1-10!¢ $10,000 2002 
ECCp-131 | 131 | 3.5 x 10!° | $20,000 7 


ECCp-163 | 163 2.4.x 1074 | $30,000 
ECCp-191 | 191 | 4.9 x 108 | $40,000 
ECCp-239 | 239 | 8.2 x 10° | $50,000 


- 
2 
5 
ECCp-359 | 359 | 9.6 x 10° | $100,000 ? 
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5. The Root Finding Problem (RFP). The k-th Root Finding Problem (RFP), or 
RFP Problem for short, may be defined as follows: 


kKREP & {k, N,y =x* (mod N)} =, {x = ¥/y (mod N)}. 


If the prime factorization of N is known, one can compute the Euler function 
(N) and solve the linear Diophantine equation ku — @(N)v = 1 inw and v, and 
the computation x = y“ (mod N) gives the required value. Thus, if IFP can be 
solved in polynomial-time, then RFP can also be solved in polynomial-time: 


P 
IFP => RFP. 
The security of RSA relies on the intractability of IFP, and also on RFP; if any 
one of the problems can be solved in polynomial-time, RSA can be broken in 
polynomial-time. 

6. The SQuare RooT Problem (SQRT). Let y € QRy, where QRy denotes the set 
of quadratic residues modulo N, which should be introduced later. The SQRT is 
to find an x such that 

x” = y(mod N) or x = ./y (mod N). 
That is, 


SQRT & {N € Zt,, ye QR,,y = 22 (mod N)} 2s {a}. 


>1> 
When N is prime, the SORT problem can be solved in polynomial-time. However, 


when WN is composite one needs to factor N first. Thus, if IFP can be solved in 
polynomial-time, SQRT can also be solved in polynomial-time: 


P 
IFP => QRP. 


On the other hand, if SQRT can be solved in polynomial-time, IFP can also be 
solved in polynomial-time: 


P 
SQRT => IFP. 
That is, 
P 
SQRT <> IFP. 


It is precisely this intractability of SQRT that Rabin used to construct his 
cryptosystem in 1979 [46]. 


18 1 Introduction 


7. Modular Polynomial Root Finding Problem (MPRFP). It is easy to compute 
the integer roots of a polynomial in one variable over Z: 


p(x) = 0, 


but the following modular polynomial root finding problem (MPRFP), or the 
MPRFP problem for short, can be hard: 


p(x) = 0 (mod N), 


which aims at finding integer roots (solutions) of the modular polynomial in one 
variable. This problem can, of course, be extended to find integer roots (solutions) 
of the modular polynomial in several variables as follows: 


D(x, y,-::) = 0 (mod N). 


Coppersmith in 1997 [18] developed a powerful method to find all small 
solutions xo of the modular polynomial equations in one or two variables of 
degree 6 using the lattice reduction algorithm LLL [37]. Of course, for LLL to 
be run in reasonably amount of time in finding such x’s, the values of 6 cannot 
be big. 

8. The Quadratic Residuosity Problem (QRP). Let N ¢€ Z*,, gcd(y,N) = 1. 
Then y is a quadratic residue modulo N, denoted by y € QRw, if the quadratic 
congruence 


x” = y (mod N) 


has a solution in x. If the congruence has no solution in x, then y is a quadratic 
nonresidue modulo N, denoted by y € QRy. The Quadratic Residuosity Problem 
(QRP), or the ORP Problem for short, is to decide whether or not y € QRy: 


QRP = {N e€ Zt,,27 =y (mod N)} Sous {y € QRy}- 


If N is prime, or the prime factorization of N is known, then QRP can be solved 
simply by evaluating the Legendre symbol L(y, N). If N is not a prime then one 
evaluates the Jacobi symbol J(y, V) which, unfortunately, does not reveal if y € 
QRy, ie., J(y,N) = 1 does not imply y € QRy (it does if N is prime). For 
example, L(15,17) = 1, so r= 15 (mod 17) is soluble, with x = +21 being 
the two solutions. However, although J(17, 21) = 1 there is no solution for x7 = 
17 (mod 21). Thus, when N is composite, the only way to decide whether or not 
y € QRy is to factor N. Thus, if IFP can be solved in polynomial-time, QRP can 
also be solved in polynomial-time: 


P 
IFP => QRP. 
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The security of the Goldwasser-Micali probabilistic encryption scheme [28] is 
based on the intractability of QRP. 

9. Shortest Vector Problem (SVP). Problems related to lattices are also often 
hard to solve. Let IR” denote the space of n-dimensional real vectors a = 


{a1,a2,-+*+ ,@,} with usual dot product a- b and Euclidean Norm or length 
lla|| = (a-a)'/?. Z” is the set of vectors in R” with integer coordinates. If 
A = {a),d),-++ , dy} is a set of linear independent vectors in R”, then the set of 
vectors 


So kia : ky,ko,+++ kn EZ 


is a lattice in R”, denoted by L(A) or L(a), a2,--- ,d,). A is called a basis of the 
lattice. A set of vectors in IR” is a n-dimensional lattice if there is a basis V of n 
linear independent vectors such that L = L(V). If A = {a1,a2,--- , ay} is a set 
of vectors in a lattice L, then the length of the set A is defined by max(||q;||). A 
fundamental theorem, due to Minkowski, is as follows. 


Theorem 1.1 (Minkowski). There is a universal constant y, such that for any 
lattice L of dimension n, Av € L, v 4 0, such that 


lvl] = yvndet (Ly. 


The determinant det(L) of a lattice is the volume of the n-dimensional fundamen- 
tal parallelepiped, and the absolute constant y is known as Hermite’s constant. 


A natural problem concerned with lattices is the shortest vector problem (SVP), 
or the SVP problem for short: 


Find the shortest non-zero vector in a high dimensional lattice. 


Minkowski’s theorem is just an existence-type theorem and offers no clue on 
how to find a short or the shortest vector non-zero vector in a high dimensional 
lattice. There is no efficient algorithm for finding the shortest non-zero vector, or 
finding an approximate short non-zero vector. The lattice reduction algorithm 
LLL [37] can be used to find short vectors, but it is not effective in finding 
short vectors when the dimension n is large, say, for example, n > 100. This 
allows lattices to be used in the design of cryptographic systems and in fact, 
several cryptographic systems, such as NTRU [33] and the Ajtai-Dwork system 
[2], are based on the intractability of finding the shortest non-zero vector in a 
high dimensional lattice. 


In this book, we shall be more interested in those number theoretic problems 
that are computationally intractable, since the security of modern public-key crypto- 
graphy relies on the intractability of these problems. A problem is computationally 
intractable if it cannot be solved in polynomial-time. Thus, from a computational 
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Provably intractable V4 


Computable 


Tractable 
(Modular exponentiation) 


Conjectured intractable 
(IFP) 


Presumably intractable 
(TSP) 


Figure 1.3 Tractable and intractable problems 


complexity point of view, any problem beyond P is intractable. There are, however, 
different types of intractable problems (see Figure 1.3). 


1. Provably intractable problems: Problems that are Turing computable but can be 
shown in PS (P-Space), NPS (NP-Space), EXP (exponential-time) etc., of 
course outside NP, are provably and certainly intractable. Note that although we 
do not know if P = NPS, we know PS = NPS. 

2. Presumably intractable problems: Problems in \’P but outside of P, particularly 
those problem in MPC (NVP-Complete) such as the Travelling Salesman 
Problem, the Knapsack Problem, and the satisfiability problem, are presumably 
intractable, since we do not know whether or not P = NP. If P = NP, then 
all problems in VP will no longer be intractable. However, it is more likely that 
P # NP. From a cryptographic point of view, it would be nice if encryption 
schemes can be designed to be based on some \’P-Complete problems, since 
these types of schemes can be difficult to break. Experience, however, tells us 
that very few encryption schemes are based on V’P-Complete problems. 

3. Conjectured intractable problems: By conjectured intractable problems we mean 
that the problems are currently in \VP-Complete, but no-one can prove they must 
be in ’P-Complete; they may be in P if efficient algorithms are invented for 
solving these problems. Typical problems in this category include the Integer 
Factorization Problem, the Discrete Logarithm Problem and the Elliptic Curve 
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Discrete Logarithm Problem. Again, from a cryptographic point of view, we 
are more interested in this type of intractable problems, and in fact, IFP, DLP 
and ECDLP are essentially the only three intractable problems that are practical 
and widely used in commercial cryptography. For example, the most famous and 
widely used RSA cryptographic system relies its security on the intractability of 
the IFP problem. 


The difference between the presumably intractable problems and the conjectured 
intractable problems is important and should not be confused. For example, both 
TSP and IFP are intractable, but the difference between TSP and IFP is that TSP 
has been proved to be \/P-Complete whereas IFP is only conjectured to be N’P- 
Complete. IFP may be ’P-Complete, but also may not be W’P-Complete. 

Finally, we present a complexity measure of number-theoretic problems in big-O 
notation. 


Definition 1.1. Let 
fig: ZT OR. 
Define 
f= O(8), 
if there exists c € Ryo with 
If(n)| < cg(n), for all n. 
Definition 1.2. Let 
L, (a,c) = exp(c(log n)* (log log n)'~), 


where @ € [0, 1],c € Ryo. 


(1) Ifa problem can be solved by an algorithm in expected running time 
T(n) = OL, (0, ¢)), 


then the algorithm is polynomial-time algorithm (or efficient algorithm), and the 
corresponding problem is easy problem (i.e., the problem can be solved easily). 
It is also often to use O((logn)*) with k constant to represent polynomial- 
time complexity. For example, the multiplication of two logn bit numbers by 
ordinary method takes time in O((logn)*), the fastest known multiplication 
method has a running time of 


O(log nlog log nlog log logn) = O((logn)'**). 
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(2) Ifa problem can be solved by an algorithm in expected running time 


(3 


wm 


T(n) = O(L, (1, ¢)), 


then the algorithm is exponential-time algorithm (or inefficient algorithm), and 
the corresponding problem is a hard problem (i.e., the problem is hard to 
solve). Note that since logn is the length of input, O((logn)!) is polynomial- 
time complexity, whereas O((n)”!) is not, since O((n)”!) = O(2°!!8"), an 
exponential complexity. 

An algorithm is of subexponential-time complexity if 


T(n) = O(L,(@,c)), O<a <1. 


Subexponential-time complexity is an important and interesting class between 
the two extremes, and in fact, many of the number-theoretic algorithms 
discussed in this book, such as the algorithms for integer factorization and 
discrete logarithms, fall into this special class, which is slower than polynomial- 
time but faster than exponential-time. For example, the best algorithms for 
IFP and DLP run in subexponential-time. For ECDLP, we even do not have 
a subexponential-time algorithm. 


Problems for Section 1.2 


. Prove or disprove that 


(1) there are infinitely many Mersenne prime numbers; 
(2) there are infinitely many Mersenne composite numbers. 


Find the 48th Mersenne prime. 


. What is the difference between the Integer Factorization Problem and the Prime 


Factorization Problem? 


. What is the difference between the Discrete Logarithm Problem and the Elliptic 


Discrete Logarithm Problem? 


. Show that solving the Square Root Problem is equivalent to that of the Integer 


Factorization Problem. 


. Show that solving the Quadratic Residuosity Problem is equivalent to that of 


the Integer Factorization Problem. 


. Find all the prime factors of the following numbers: 


(1) 11111111111 (the number consisting of eleven 1) 

(2) 111111111111 (the number consisting of twelve 1) 

(3) 1111111111111 (the number consisting of thirteen 1) 
(4) 11111111111111 (the number consisting of fourteen 1) 
(5) 111111111111111 (the number consisting of fifteen 1) 
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(6) 1111111111111111 (the number consisting of sixteen 1) 
(7) 11111111111111111 (the number consisting of seventeen 1) 
(8) Can you find any pattern for the prime factorization of the above numbers? 


7. Do you think the Integer Factorization Problem, or more generally the Prime 
Factorization Problem are hard to solve? Justify your answer. 

8. Can you find some problems that have the similar properties or difficulty of 
the Integer Factorization Problem (we shall explain this in detail in the next 
section). 

9. Find the discrete logarithm k 

k = log, 3 (mod 11) 
such that 
2k = 3 (mod 11), 
and the discrete logarithm k 
k = 1084734567g9 962 (mod 9876543211) 
such that 
123456789 = 962 (mod 9876543211). 
10. Find the square root y 
y = V3 (mod 11) 
such that 
y’ =3 (mod 11), 
and the square root y 
y = V 123456789 (mod 987654321) 


such that 


y* = 123456789 (mod 987654321). 
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1.3. What is Quantum Computational Number Theory 


Just the same as computational number theory, quantum computational number the- 
ory, as its name suggested, may be regarded as a combined subject of computational 
number theory and quantum computing. That is, 


Quantum Computational Number Theory := 


Computational Number Theory © Quantum Computing. 


The aim of quantum computational number theory is to use the quantum com- 
putational techniques to solve number-theoretic problems, that are hard, more 
precisely, intractable for classical computers. The main research goals in the area 
is to build practical and large scale quantum computers and to discover new 
and polynomial-time quantum algorithms to solve the intractable, hopefully, M’P- 
Complete problems in number theory. 

Generally speaking, there are three categories of problems that quantum comput- 
ers may have a play: 


1. Algorithms related to determine the functional periodicity. Algorithms in this 
category include: 


(1) Simon’s algorithm for distinguishing different functions (see [51, 52]). 

(2) Shor’s algorithms for IFP, DLP and ECDLP (see [44, 47, 48]). 

(3) Hallgren’s algorithm for solving Pell’s equation x” — dy? = 1 for a given 
positive integer d. 


2. Algorithms related to information retrieval, such as Grover’s quantum algorithm 
for search. 

3. Algorithms related to simulations and computations in quantum mechanics, say 
e.g., Feynman’s simulation of quantum physics. 


In computational number theory, we are interested in the first two categories of the 
quantum algorithms, as they are directly related to problems in number theory. 

It has been known for some times that some number-theoretic problems cannot 
be solved in polynomial-time by classical computers but can by quantum computers, 
provided that a practical quantum computer can be built. Problems in this category 
include: 


1. The Integer Factorization Problems (IFP): It is well-known that IFP is intractable 
for computers, which is exactly the security basis of the RSA (Rivest-Shamir- 
Adleman) cryptography. The fastest algorithm, namely, the Number Field Sieve, 
runs in subexponential-time 


O(exp(c(log n)'/? (log log n)?/*)), 
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where c = (S)!/3 ~ 1.5 for special numbers and c = (32)!/3 ~ 1.9 for general 
numbers. Surprisingly, Shor in 1994 (see [47, 48]) proposed a quantum algorithm 
which can be used to solve IFP in polynomial-time 


O((logn)***), 


provided that a practical quantum computer is available. 

2. The Discrete Logarithm Problem (DLP): Just the same as IFP, DLP is also an 
intractable computational problem, for which no polynomial-time algorithm has 
been found so far. The security of the famous DHM (Diffie-Hellman-Merkle) 
key-exchange scheme and DSA (US government’s Digital Signature Algorithm) 
relies on the intractability of DLP. In the classical computing world, the fastest 
algorithm for DLP, namely, NFS, runs in subexponential-time 


O(exp(c(log Q)'/3 (log log Q)*/%)), 


where Q is the size of a finite field, as the DLP problem we are interested in 
(particularly in the cryptographic setting) is normally over a large finite field 
Q= Zz; However, for finite fields with small characteristic, there is a slightly 
faster algorithm, namely, FFS (Functional Field Sieve) runs in time proportion to 


O(exp(c(log Q)'/? (log log Q)*/*)), 


where 


There is even faster algorithm, again for some finite fields with small character- 
istic, runs in time 


O(exp(c(log Q)'/* (log log Q)*/*)), 


for some small constant c. Remarkably, Shor’s quantum algorithm can also be 
used to solve DLP in polynomial-time 


O((logn)***), 


as the same as IFP. 

3. The Elliptic Curve Discrete Logarithm Problem (ECDLP): Recall that the 
general DLP problem may defined over a multiplicative group Z, (when n is 
replaced by p*, then Z,« is a finite field, also denoted by Fx, or GF(p*)). If we 
replace the multiplicative group Z,« with an elliptic curve group E(Q), the DLP 
problem over E(Q) is the Elliptic Curve Discrete Logarithm Problem (ECDLP), 
which may be defined as follows: Let P,Q be two points of the elliptic curve 
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E:y = x + ax +b over the rational field Q, then the problem to find the 
integer k such that P = kQ is the ECDLP problem. Although there are many 
algorithms to solve ECDLP, but none of them can run in polynomial-time, Again, 
Surprisingly, Shor’s quantum algorithm for DLP can be used to solve the ECDLP 
problem in polynomial-time. 

. Pell’s Equation: A Pell’s equation (see [31, 38, 59]) is a quadratic Diophantine 
equation in any one of the following three forms 


where d is a positive integer other than a perfect square, and n a positive integer 
greater than |. For simplicity, we only consider the following Pell’s equation: 


x —dy’ =1. 
In this type of Pell’s equation, we are interested in finding positive integer 
solution x,y, for a given d. Clearly, if we can find the first (i.e., the smallest 
possible or the fundamental) solution x,, y;, the mth solution x, y, can be written 
in terms of the first one as follows: 

Xn + yawvd = (x| + yy vd)". 

For example, given Pell’s equation 

x — Ty? = 1, 
one may find {x1, y1} = {2281249, 267000}, that is, 


2281249? — 73 - 267000? = 1. 


The fastest method to solve Pell’s equation is the smooth number method, similar 
to NFS for IFP or DLP, runs in subexponential-time 


O(exp(c(log d)'"" (log log d)**)), 
where logd is the input size and c < 1 is a small real constant. Hallgren in 
2002 discovered a quantum algorithm for solving Pell’s equation, which run in 


polynomial-time 


O(poly(log d)), with the probability 1/poly(log d), 
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where O(poly(log d)) is the polynomial-time complexity 
O((log d)*), some constant k. 


5. Function Distinguishing: Let us first define the function distinguishing problem 
(or Simon’s problem in short). Suppose we are given a function f : {0, 1}” > 
{0, 1}"" with m > n, satisfying the property that f is 1-to-1 or there exists a non- 
trivial s such that 


Va £x'(f(x) =f’) = ¥ =x®s), 


where © denotes bitwise condition exclusive-or. We are asked to determine 
which of these conditions holds for f, and in the second case, to find s. In 1994 
Simon (see [51, 52]) proposed a quantum algorithm that solves the function dis- 
tinguishing problem exponentially faster than any (deterministic or probabilistic) 
classical algorithm. Although the problem and the solution themselves are of 
little practical value it is interesting because it provides an exponential speedup 
over any classical algorithm. Moreover, it was also the inspiration for Shor to 
develop his quantum factoring algorithm. Note that both the factoring problem 
and Simon’s problem are special cases of the abelian hidden subgroup problem, 
which is now known to have efficient quantum algorithms. 


It is helpful to make a remark about the power of quantum computation by saying 
that quantum computers not just faster versions of classical computers, but use a 
different paradigm for computation; they may provide an exponential speedup over 
any existing classical algorithm for some computational problems such as IFP, DLP 
and ECDLP, but for other hard computational problems, such as the \’P-Complete 
problems (e.g., the famous travelling salesman problem), they do not provide any 
speedup at all. For quantum computers to be useful, we would expect them to solve 
the \VP-Complete problems. 


Problems for Section 1.3 


1. Explain why for some computational problems quantum computers can provide 
exponentially fast speedup, but for other problems not at all. 

2. Explain why Shor’s factoring algorithm (see [47, 48]) can factor integers in 
polynomial-time. 

3. Explain why Shor’s quantum factoring algorithm for IFP can be extended to DLP 
and ECDLP. 

4. Pell’s equation can be solved by using the continued fractions which can be 
implemented by the efficient Euclid’s algorithm. Explain why Pell’s equation 
cannot be solved efficiently in polynomial-time by any classical algorithm (see 
[38)]). 
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5. Explain why Pell’s equation can be solved in polynomial-time by a quantum 
algorithm (see [31]). 

6. (Hard research problem) All problems currently solvable by a quantum computer 
are not N’P-Complete. Can a quantum computer solve an \/P-Complete prob- 
lem? If so, give an example. 


1.4 Chapter Notes and Further Reading 


In this beginning chapter of the book, we have provided an introduction and 
overview of the basic concepts and problems in number theory, computation theory, 
computational number theory and quantum computational number theory. In the rest 
of the chapters of the book, we shall concentrate on quantum computational number 
theory. 

The theory of numbers is one of the oldest branches in mathematics, and 
of course the basis for quantum computational number theory. There are many 
established and classical books and references in the field. Readers are strongly 
suggested to consult the following books by Baker [3, 4], Davenport [21] , Hardy, 
Wright and Wiles [32], Niven, Zuckerman and Montgomery [43]. 

Computational number theory, a combined subject of number theory and com- 
puter science, more specifically, the theory of computation, is an active, lively and 
young subject of study in both mathematics and computer science, the following 
books are somewhat the standard references in the field: [14, 20, 36, 45, 59]. 

Quantum computing in general and quantum computational number theory in 
particular are the main topics of the present book. Readers are suggested to consult 
the following references before moving on to the rest chapters of the book in order 
to get some more background information: [1, 5—7, 11, 22-24, 30, 41, 42, 47-50, 
56, 57] and [60, 61]. 

Computation is the main ingredient of both computational number theory and 
quantum computational number theory. Although historically computation is as old 
as mathematics, the modern theory of computation may started its life just in the 
1930s by the work of Turing [54], Church [12, 13], and some others. We shall 
discuss in detail the theory of computation, both classical and quantum, in the next 
chapter, but readers may consult the following references before moving on to the 
read of the next chapter: [15—17, 19, 25, 26, 34, 36, 39, 53]. 
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Chapter 2 
Classical and Quantum Computation 


If quantum mechanics hasn’t profoundly shocked you, you 
haven’t understood it yet. 


NIELS BOHR (1885-1962) 
The 1922 Nobel Laureate in Physics 


Computation has long been deriving force in the development of mathematics in 
general and in number theory in particular. Many of the great theorems such as 
the Prime Number Theorem and conjectures such as the Riemann hypothesis and 
the BSD (Birch and Swinnerton-Dyer) conjecture, are rooted and motivated from the 
computational experiments. So computation is the main ingredient and component 
of both computational number theory and quantum computational number theory. 
In this chapter, we shall give an account of the basic concepts and results in both 
classical and quantum computation theories, that will be used in the rest of the 
book. More specifically, we shall try to answer the following questions related to 
computation: 


1. What is computation/quantum computation? 
2. What computers can/cannot do? 
3. What a quantum computer can/cannot do? 


2.1 Classical Computability Theory 


Computability studies what a computer can do and what a computer cannot do. 
As a Turing machine can do everything that a real computer can do, our study of 
computability will be within the theoretical framework of Turing machines. 
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Figure 2.1 k-tape (k > 1) Turing machine 


2.1.1 Turing Machines 


The idea and the theory of Turing machines were first proposed and studied by the 
great English logician and mathematician Alan Turing (1912-1954) in his seminal 
paper [45] published in 1936. First of all, we shall present a formal definition of the 
Turing machine. 


Definition 2.1. A standard multitape Turing machine, M (see Figure 2.1), is an 
algebraic system defined by 


M= (Q, ©,T,5,q0,0, F) 


where 


1. Qisa finite set of internal states; 

2. ¥/ is a finite set of symbols called the input alphabet. We assume that XY’ C 
P=; 

3. I” is a finite set of symbols called the tape alphabet, 

4. 6 is the transition function, which is defined by 


(1) if M is a Deterministic Turing Machine (DTM), then 


6: Ox Tk > QxTr* x {L, RM, 
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(2) if M is a Non-Deterministic Turing Machine (NDTM), then 
82 Ox DE 2OxT ALR 


where L and R specify the movement of the read-write head left or right. When 
k = 1, it is just a standard one-tape Turing machine; 


5. 1 € I’ is a special symbol called the blank; 
6. go € Qis the initial state; 
7. F © Qis the set of final states. 


Turing machines, although simple and abstract, provide us with a most suitable 
model of computation for modern digital and even quantum computers. 


Example 2.1, Given two positive integers x and y, design a Turing machine that 
computes x + y. First, we have to choose some convention for representing positive 
integers. For simplicity, we will use unary notation in which any positive integer 
x is represented by w(x) € {1}*, such that |w(x)| = x. Thus in this notation, 4 
will be represented by 1111. We must also decide how x and y are placed on the 
tape initially and how their sum is to appear at the end of the computation. It is 
assumed that w(x) and w(y) are on the tape in unary notation, separated by a single 
0, with the read-write head on the leftmost symbol of w(x). After the computation, 
w(x + y) will be on the tape followed by a single 0, and the read-write head will be 
positioned at the left end of the result. We therefore want to design a Turing machine 
for performing the computation 


qow()0w(y) F qrwle + 90, 


* 
where gy € F is a final state, and | indicates an unspecified number of steps as 
follows: 


qow(x)Ow(y) F +++ F gpw(x + y)0. 


Constructing a program for this is relatively simple. All we need to do is to move 
the separating 0 to the right end of w(y), so that the addition amounts to nothing 
more than the coalition of the two strings. To achieve this, we construct 


M = (Q, 2,15, qo, 0, F), 
with 
O = (40.91, 92,93, 44} 
F = {qu}, 
8(qo. 1) = (go, 1,R), 
8(qo,0) = (q1,1,R), 
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6(q1, 1) = (g1,1,R), 
6(q1,0) = (@, OL), 
8(q2, 1) = (q3,0,L), 
6(q3, 1) = (q3, 1, L). 


Note that in moving the 0 right we temporarily create an extra 1, a fact that is 
remembered by putting the machine into state q. The transition 5(q2, 1) = (q3, 0, L) 
is needed to remove this at the end of the computation. This can be seen from the 
sequence of instantaneous descriptions for adding 111 to 11: 


go1110011 F 199110011 
F 11q91011 
F 111g9011 
F 1111q)11 
F 11111q)1 
F 1111119; 
F 11111q21 
+ 1111310 


+ g3C111110 
+ q4111110, 


or, briefly as follows: 


qo1110011 F g4111110. 


2.1.2 The Church-Turing Thesis 


Any effectively computable function can be computed by a Turing machine, and 
there is no effective procedure that a Turing machine cannot perform. This leads 
naturally to the following famous Church-Turing thesis, named after Alonzo Church 
and Alan Turing: 


The Church-Turing thesis. Any effectively computable function can be computed by a 
Turing machine. 
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The Church-Turing thesis thus provides us with a powerful tool to distinguish 
what is computation and what is not computation, what function is computable 
and what function is not computable, and more generally, what computers can do 
and what computers cannot do. 

It must be noted that the Church-Turing thesis is not a mathematical theorem, 
and hence it cannot be proved formally, since, to prove the Church-Turing thesis, 
we need to formalize what is effectively computable, which is impossible. However, 
many computational evidences support the thesis and in fact no counterexample has 
been found yet. 


Remark 2.1. Church in his famous 1936 paper [7] proposed the important concept 
of A-definable and later in his book review [8] on Turing’s 1936 paper, he said that 
all effective procedures are in fact Turing equivalent. This is what we call now the 
Church-Turing thesis. It is interesting to note that Church was the Ph.D. advisor of 
Alan Turing (1938), Michael Rabin (1957) and Dana Scott (1958), all at Princeton; 
Rabin and Scott were also the 1976 Turing Award Recipients, a Prize considered as 
an equivalent Nobel Prize in Computer Science. 


2.1.3 Decidability and Computability 


Although a Turing machine can do everything that a real computer can do, there 
are, however, many problems that Turing machines cannot do; the simplest one 
is actually related the Turing machine itself, the so-called Turing machine halting 
problem. 


Definition 2.2. A language is Turing-acceptable if there exists a Turing machine 
that accepts the language. A Turing-acceptable language is also called a recursively 
enumerable language. 


When a Turing machine starts on an input, there are three possible outcomes: 
accept, reject or loop (i.e., the machine falls into an infinite loop without any output). 
If a machine can always make a decision to accept or reject a language, then the 
machine is said to decide the language. 


Definition 2.3. A language is Turing-decidable if there exists a Turing machine 
that decides the language, otherwise, it is Turing-undecidable. A Turing-decidable 
language is also called recursive language. 


Definition 2.4. The Turing Machine Halting Problem may be defined as follows: 
Lrm = {(M, w) | M is a Turing machine and M accepts w}. 


Theorem 2.1. Lypy is undecidable. 


Turing machines that always halt are good model of an algorithm, a well-defined 
sequence of steps that always finishes and produces an answer. If an algorithm 
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Figure 2.2 Relationships among recursive-related languages/problems 


for a given problem exists, then the problem is decidable. Let the language L be 
a problem, then L is decidable if it is recursive language, and it is undecidable if 
it is not recursive language. From a practical point of view, the existence or non- 
existence of an algorithm to solve a problem is of more important than the existence 
or non-existence of a Turing machine to solve the problem. So, to distinguish 
problems or languages between decidable or undecidable is of more important than 
that between recursively enumerable and non-recursively enumerable. Figure 2.2 
shows the relationships among the three classes of problems/languages. 


Problems for Section 2.1 


1. Explain 


(1) why a Turing machine can do everything that a real computer can do. 
(2) why any computable function can be computed by a Turing machine. 


2. Explain why Church-Turing thesis cannot be proved rigorously. 

3. Explain why all different types of Turing machines such single tape Turing 
machines and multiple tape Turing machines are equivalent. 

4. Show that there is a language that is recursively enumerable but not recursive 
[29]. 

5. Hilbert’s tenth problem [30] states that given a Diophantine equation with any 
number of unknown quantities and with rational integral numerical coefficients: 
To devise a process according to which it can be determined in a finite number 
of operations whether the equation is solvable in rational integers. Show that 
Hilbert’s tenth problem is undecidable. 

6. Show that the Turing Machine Halting Problem is undecidable. Give some more 
examples (problems) that is are undecidable [24]. 
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2.2 Classical Complexity Theory 


Computability is only concerned with what computer can do, but ignores the com- 
puting resources such as the time and space required for completing a computation 
task. Computational complexity, on the other hand, fills this gap by considering 
mainly the computing resources such as the time and space required for completing 
a computation task. Thus a theoretically computable problem may be practically 
uncomputable if it required too much time such as 50 million years or too much 
space. In this section, we shall study mainly the time complexity of computational 
problems. 


2.2.1 Complexity Classes 


First of all, we shall present a series of formal definitions for some common 
computational complexity classes based on Turing machines. To do so, we need 
a definition for probabilistic or randomized Turing machines. 


Definition 2.5. A Probabilistic Turing Machine (PTM) is a type of nondeter- 
ministic Turing machine with distinct states called coin-tossing states. For each 
coin-tossing state, the finite control unit specifies two possible legal next states. 
The computation of a probabilistic Turing machine is deterministic except that in 
coin-tossing states the machine tosses an unbiased coin to decide between the two 
possible legal next states. 


A probabilistic Turing machine can be viewed as a Randomized Turing Machine 
[24], as described in Figure 2.3. The first tape, holding input, is just the same as 
conventional multitape Turing machine. The second tape is referred to as random 
tape, containing randomly and independently chosen bits, with probability 1/2 of a 
0 and the same probability 1/2 of a 1. The third and subsequent tapes are used, if 
needed, as scratch tapes by the Turing machine. 


Definition 2.6. P is the class of problems solvable in polynomial-time by a 
Deterministic Turing Machine (DTM). Problems in this class are classified to be 
tractable (feasible) and easy to solve on a computer. For example, additions of any 
two integers, no matter how big they are, can be performed in polynomial-time, and 
hence it is in P. 


Definition 2.7. VP is the class of problems solvable in polynomial-time on a Non- 
Deterministic Turing Machine (NDTM). Problems in this class are classified to be 
intractable (infeasible) and hard to solve on a computer. For example, the Traveling 
Salesman Problem (TSP) is in VP, and hence it is hard to solve. 


In terms of formal languages, we may also say that P is the class of languages 
where the membership in the class can be decided in polynomial-time, whereas 
NP is the class of languages where the membership in the class can be verified 
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Figure 2.3. Randomized Turing machine 


in polynomial-time [43]. It seems that the power of polynomial-time verifiable is 
greater than that of polynomial-time decidable, but no proof has been given to 
support this statement (see Figure 2.4). The question of whether or not P = NP is 
one of the greatest unsolved problems in computer science and mathematics, and 
in fact it is one of the seven Millennium Prize Problems proposed by the Clay 
Mathematics Institute in Boston in 2000, each with one-million US dollars [12]. 


Definition 2.8. E47 is the class of problems solvable by a deterministic Turing 
machine in time bounded by 2”. 


Definition 2.9. A function f is polynomial-time computable if for any input w, f(w) 
will halt on a Turing machine in polynomial-time. A language A is polynomial-time 
reducible to a language B, denoted by A <p B, if there exists a polynomial-time 
computable function such that for every input w, 


weAs> fw) eB. 


The function f is called the polynomial-time reduction of A to B. 


Definition 2.10. A language/problem L is \’P-Completeness if it satisfies the 
following two conditions: 


1. LENP, 
2. VAENP, A<pL. 
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Figure 2.4 The P versus VP problem 


Definition 2.11. A problem D is \’P-Hard if it satisfies the following condition: 
VAE NP, A <p D 


where D may be in VP, or may not be in NP. Thus, N’P-Hard means at least as 
hard as any N’P-problem, although it might, in fact, be harder. 


Similarly, one can define the class of problems of P-Space, P-Space Complete, 
and P-Space Hard. We shall use VPC to denote the set of \’P-Complete problems, 
PSC the set of P-Space Complete problems, \VPH the set of ’P-Hard problems, 
and PSH the set of P-Space Hard problems. The relationships among the classes 
P,NP,NPC, PSC, NPH, PSH and EXP may be described in Figure 2.5. 


Definition 2.12. 7? is the class of problems solvable in expected polynomial-time 
with one-sided error by a probabilistic (randomized) Turing machine. By “one- 
sided error” we mean that the machine will answer “yes” when the answer is “yes” 
with a probability of error < 1/2, and will answer “no” when the answer is “no” 
with zero probability of error. 


Definition 2.13. ZPP is the class of problems solvable in expected polynomial- 
time with zero error on a probabilistic Turing machine. It is defined by ZPP = 
RP  co-RP, where co-RP is the complementary language of RP, i.e., co-RP = 
{L : L € RP}. By “zero error” we mean that the machine will answer “yes” when 
the answer is “yes” (with zero probability of error), and will answer “no” when the 
answer is “no” (also with zero probability of error). But note that the machine may 
also answer “?”, which means that the machine does not know the answer is “yes” 
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we ee, 


Figure 2.5 Conjectured relationships among classes P, VP and NPC, etc. 


or “no”. However, it is guaranteed that at most half of simulation cases the machine 
will answer “?”. ZPP is usually referred to an elite class, because it also equals to 
the class of problems that can be solved by randomized algorithms that always give 
the correct answer and run in expected polynomial-time. 


Definition 2.14. BPP is the class of problems solvable in expected polynomial- 
time with two sided error on a probabilistic Turing machine, in which the answer 
always has probability at least 5 + 6, for some fixed 6 > 0 of being correct. The 
“B” in BPP stands for “bounded away the error probability from 5”; for example, 
the error probability could be i. 


The space complexity classes P-SPACE and \’P-SPACE can be defined analo- 
gously as P and A/P.. It is clear that a time class is included in the corresponding 
space class since one unit is needed to the space by one square. Although it is not 
known whether or not P = NP, it is known that P-SPACE = NP-SPACE. It is 
generally believed that 
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Figure 2.6 Conjectured relationships among some common complexity classes 


BPP 
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) C P-SPACE C EXP. 


Besides the proper inclusion P C EAP, it is not known whether any of the other 
inclusions in the above hierarchy is proper. Note that the relationship of BPP and 
NP is not known, although it is believed that WP ¢ BPP. Figure 2.6 shows the 
relationships among the various common complexity classes. 


2.2.2 The Cook-Karp Thesis 


It is widely believed, although no proof has been given, that problems in P are 
computationally tractable (or feasible, easy), whereas problems not in (i.e., beyond) 
P are computationally intractable (or infeasible, hard, difficult). This is the famous 
Cook-Karp thesis, named after Stephen Cook, who first studied the P-’P problem 
and Richard Karp, who proposed a list of the ’P-Complete problems. 


The Cook-Karp thesis. Any computationally tractable problem can be computed by a 
Turing machine in deterministic polynomial-time. 


Thus, problems in P are tractable whereas problems in AP are intractable. 
However, there is not a clear cut between the two types of problems. This is exactly 
the hard P versus NP problem, mentioned earlier. Compared to the Church-Turing 
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thesis, the Cook-Karp thesis provides a step closer to practical computability and 
complexity, and hence the life after Cook and Karp is much easier, since there is 
no need to go all the way back to Church and Turing. Again, Cook-Karp thesis is 
not a mathematical theorem and hence cannot be proved mathematically, however 
evidences support the thesis. 


Problems for Section 2.2 


1. Define and explain the following complexity classes [18]: 
P, 
NP, 
RP, 
BPP, 
ZPP, 
NP-Complete, 
NP-Hard, 
Pe 
P-Space, 
NP-Space, 
EXP. 


2. Show that P C RP. 
3. Let SAT denote the SATisfiability problem. Show that 


SAT € NP, 
and 
SAT € NP-Complete. 
4. Let HPP denote the Hamiltonian Path Problem. Show that 
HPP € NP, 
and 


HPP € \VP-Complete. 


Nn 


. Show that HPP is polynomial-time reducible to TSP. 
6. Prove or disprove P 4 NP. 
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7. Just the same as that it is not known if P # NP, it is also currently not known if 
BPP # P-Space, and proving or disproving this would be a major breakthrough 
in computational complexity theory. Prove or disprove 


BPP # P-Space. 


2.3. Quantum Information and Computation 


The idea that computers can be viewed as physical objects and computations as 
physical processes is revolutionary; it was conceived by several scientists, most 
notably Richard Feynman (1918-1988) and David Deutsch (Born 1953). For exam- 
ple, Feynman published posthumously a book Feynman Lectures on Computation 
[17] in 1996, where he introduced the theory of reversible computation, quantum 
mechanical computers and quantum aspects of computation in great detail, whereas 
Deutsch in 1985 published a paper [15] explaining the basic idea of quantum Turing 
machine and the universal quantum computer. 

Quantum computers are machines that rely on characteristically quantum phe- 
nomena, such as quantum interference and quantum entanglement, in order to 
perform computation, whereas the classical theory of computation usually refers 
not to physics but to purely mathematical subjects. A conventional digital computer 
operates with bits (we may call them Shannon bits, since Shannon was the first 
to use bits to represent information)—the Boolean states 0 and 1—and after each 
computation step the computer has a definite, exactly measurable state, that is, all 
bits are in the form 0 or | but not both. A quantum computer, a quantum analogue of 
a digital computer, operates with quantum bits (the quantum version of Shannon bit) 
involving quantum states. The state of a quantum computer is described as a basis 
vector in a Hilbert space,! named after the German mathematician David Hilbert 
(1862-1943). More formally, we have: 


Definition 2.15. A gubit is a quantum state | YW) of the form 
|) =@|0) + BI), 


where the amplitudes a, B € C, such that ||@||? + ||6||? = 1, |0) and | 1) are basis 
vectors of the Hilbert space. 


Note that state vectors are written in a special angular bracket notation called 
a “ket vector” |W), an expression coined by Paul Dirac who wanted a shorthand 


‘Hilbert space is defined to be a complete inner-product space. The set of all sequences x = 
(x1, X2,°*+) of complex numbers (where paar |x;|* is finite) is a good example of a Hilbert space, 
where the sum x + y is defined as (x; + y1,x2 + yo,:++), the product ax as (ax1, ax2,:++), and 
the inner product as (x, y) = pear Xiy;, where X; is the complex conjugate of x;, x = (x1,%2,°**) 
and y = ()1,y2,°:+). In modern quantum mechanics all possible physical states of a system are 
considered to correspond to space vectors in a Hilbert space. 
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oe 


Figure 2.7 A qubit for the binary values 0 and 1 


9900 


Figure 2.8 Each sphere represents a qubit with the same proportions of the | 0) and | 1) 


notation for writing formulae that arise in quantum mechanics. In a quantum 
computer, each qubit could be Teor Sented by the state of a simple 2-state quantum 
system such as the spin state of a spin-5 particle. The spin of such a particle, when 
measured, is always found to exist in one of two possible states | + ) (spin-up) and 
| —3) (spin-down). This discreteness is called quantization. Clearly, the two states 
can then be used to represent the binary value 1 and 0 (see Figure 2.7; by courtesy 
of Williams and Clearwater [49]). The main difference between qubits and classical 
bits is that a bit can only be set to either 0 and 1, while a qubit | YW) can take any 
(uncountable) quantum superposition of |0) and | 1) (see Figure 2.8; by courtesy 
of Williams and Clearwater [49]). That is, a qubit in a simple 2-state system can 
have two states rather than just one allowed at a time as the classical Shannon bit. 
Moreover, if a 2-state quantum system can exist in any one of the states | 0) and | 1), 
it can also exist in the superposed state 


|) = a |0) +a2]1). 


This is known as the principle of superposition. More generally, if a k-state quantum 
system can exist in any one of the following k eigenstates | c1) ,|c1) ,--- , | cx), it can 
also exist in the superposed state 


where the amplitudes a; € C, such that >>; ||@;||> = 1, and each | c;) is a basis 


vector of the Hilbert space. Once we can encode the binary values 0 and 1 in the 
states of a physical system, we can make a complete memory of register out of a 
chain of such systems. 
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Definition 2.16. A quantum register, or more generally, a quantum computer, is an 
ordered set of a finite number of qubits. 


In order to use a physical system to do computation, we must be able to 
change the state of the system; this is achieved by applying a sequence of unitary 
transformations to the state vector | YW) via a unitary matrix (a unitary matrix is one 
whose conjugate transpose is equal to its inverse). Suppose now a computation is 
performed on a one-bit quantum computer, then the superposition will be 


|¥) =a|0)+ BI 1), 


where a, 8 € C, such that ||a||? + ||||? = 1. The different possible states are 


|0) = (;) and | 1) = Ge. Let the unitary matrix M be 


1 
wd) 


Then the quantum operations on a qubit can be written as follows: 


nme BC) 


wie KCUG)-Ie Bm 


which is actually the quantum gate (analogous to the classical logic gate): 


1 I 
| 1), 


pa Se ee 


1 1 
POP es ig 


Logic gates can be regarded as logic operators. The NOT operator defined as 


01 
NOT = : 
ey 


changes the state of its input as follows: 


sri (18) (2) = (2) oi 
sri (15) (9) = (6) 


Similarly, we can define the quantum gate of two bits as follows: 
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00) — | 00), 

01) > | 01), 

10) fi ea 
J2 a 

ee een 
J2 f2 


or equivalently by giving the unitary matrix of the quantum operation: 


10 0 O 
010 0 

M= 1 1 ‘ (2.1) 
V2 V2 
00 1 1 
V2 V2 


This matrix is actually the counterpart of the truth table of Boolean logic used for 
digital computers. Suppose now the computation is in the superposition of the states: 


1 1 


FR! 10) lil). 
or 

10) + ya) 

J2 v2 


Then using the unitary transformations defined in (2.1), we have 


S10) - S11) + (F110 + 110) 


Ja VG Wp 
1 1 1 
~y(qiio- zh») 
= 5 ((10) + 111)) ~ 5 (110) ~| 1) 
=|11), 
Lj 10) + 4] 11) > 2 (10) +1119) + 4 10) — |11)) 
a a 2 2 


= | 10). 
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Problems for Section 2.3 


1. Let 
01 1 
NOT = , |O= 
10 0 
Show that 
NOT |0) =]1). 
2. Let 
01 0 
NOT = }1) = 
10 1 
Show that 
NOT |0) = |0). 


3. Let the action of the NOT gate as follows: 


1+i7 1-i 
JNoT=]| 7 7 | 
1-i 1+i 
2 2 
Show that 

01 

VNOT: VNOT = 
10 


4. Let the conjugate transpose of NOT, denoted by (/NOT )T, be as follows: 


1-—i 1+i 
(VNOT)t =] 7 7 | 
1+i 1-1 
2 2 
Show that 
10 


VNOT - (VNOT )* = 
01 
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5. Let 

+) = Je (10) +11), 
= F510) -11), 

= 5 (10) +411), 


1 ; 
= —=(|0) —-i|1)). 
a )—t|1) 
Which pairs of expressions for quantum states represent the same state? 
1 : 
(1) —=({0) + | 1)) and —|0)+i|1)). 
i |1)) and — ( ) +i/1)) 
(2) 0) + e'”/4|1)) and —= (e7*/4| 0) + | 1)). 
Sp (0) + e'*/*|1)) and <> (e*/*|0) + |1)) 


6. Give the set of all values of y such that following pairs of quantum states are 
equivalent state: 


(1) | 1) and a (| +) + e”|-)). 


(2) 4) 0) - 43 |1) and e” (4) 0) - 11), 


2.4 Quantum Computability and Complexity 


In this section, we shall give a brief introduction to some basic concepts of quantum 
computability and complexity within the theoretical framework of quantum Turing 
machines. 

The first true quantum Turing machine was proposed in 1985 by Deutsch [15]. 
A Quantum Turing Machine (QTM) is a quantum mechanical generalization of 
a probabilistic Turing machine, in which each cell on the tape can hold a qubit 
(quantum bit) whose state is represented as an arrow contained in a sphere (see 
Figure 2.9). Let C be the set consisting of a € C such that there is a deterministic 
Turing machine that computes the real and imaginary parts of a within 2™” in 
time polynomial in n, then the quantum Turing machines can still be defined as 
an algebraic system 


= (OQ, &,I,6,qo,0, F), 


where 


OxIx{L,R} 


6:0xT>C 
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Figure 2.9 A quantum turing machine 


and the rest remains the same as a probabilistic Turing machine. Readers are 
suggested to consult Bernstein and Vazirani [5] for a more detailed discussion of 
quantum Turing machines. Quantum Turing machines open a new way to model 
our universe which is quantum physical, and offer new features of computation. 
However, quantum Turing machines do not offer more computation power than 
classical Turing machines. This leads to the following quantitative version of the 
Church-Turing thesis for quantum computation (see [49]; by courtesy of Williams 
and Clearwater): 
The Church-Turing thesis for quantum computation. Any physical (quantum) comput- 


ing device can be simulated by a Turing machine in a number of steps polynomial in the 
resources used by the computing device. 


That is, from a computability point of view, a guantum Turing machine has no more 
computation power than a classical Turing machine. However, from a computational 
complexity point of view, a quantum Turing machine may be more efficient than a 
classical Turing machine for certain type of computational intractable problems. For 
example, the Integer Factorization Problem and the Discrete Logarithm Problem are 
intractable on classical Turing machines (as everybody knows at present), but they 
are tractable on quantum Turing machines. More precisely, IFP and DLP cannot 
be solved in polynomial-time on a classical computer (classical Turing machine), 
but can be solved in polynomial-time on a quantum computer (quantum Turing 
machine). 


Remark 2.2. Quantum computers are not just faster versions of classical computers, 
but use a different paradigm for computation. They would speed up the computation 
of some problems such as IFP and DLP by large factors, but other problems not at 
all. For quantum computers to be practically useful, we would expect they solve the 
NP problems in P. But unfortunately, we do not know this yet. What we know is 
that quantum computers can solve e.g., [FP and DLP in P, but IFP and DLP have 
not been proved in VP. 


Just as there are classical complexity classes, so are there quantum complexity 
classes. As quantum Turing machines are generalizations of probabilistic Turing 
machines, the quantum complexity classes resemble the probabilistic complexity 
classes. First, we gave the following quantum analog of classical P: 
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Figure 2.10 Relationship between OP and P 


Figure 2.11 Relationship between ZOP and ZPP 


Definition 2.17. OP (Quantum Analogue of 7) is the class of problems solvable, 
with certainty, in polynomial-time on a quantum Turing machine. 


It can be shown that P C QP (see Figure 2.10). That is, the quantum Turing 
machine can solve more problems efficiently in worse-case polynomial-time than a 
classical Turing machine. 

Similarly, we have the following quantum analog of classical ZPP. 


Definition 2.18. ZQOP (Quantum Analogue of ZPP) is the class of problems 
solvable in expected polynomial-time with zero-error probability by a quantum 
Turing machine. 


It is clear that ZPP C ZQP (see Figure 2.11). 


Definition 2.19. BOP (Quantum Analogue of BPP) is the class of problems 
solvable in polynomial-time by a quantum Turing machine, possibly with a bounded 
probability « < 1/3 of error. 


It is known that P C BPP C BOP C P-SPACE, and hence, it is not known 
whether quantum Turing machines are more powerful than probabilistic Turing 
machines. It is also not known the relationship between BOP and NP. Figure 2.12 
shows the suspected relationships of BOP to some other well-known classical 
computational classes. 


Problems for Section 2.4 


1. Explain the complexity classes in the following conjectured containment rela- 
tionships involving classical and quantum computation in Figure 2.13: 
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Figure 2.12 Suspected relationships of BQP to other classes 


2. Show that 
PC OP C BOP. 


3. One of the most significant results in quantum computational complexity is that 
BOP C P-Space. Show that 


BPP © BOP C P-Space. 
4. Show that 
BOP c P*” Cc P-Space, 
where P*? be the set of problems which could be solved in polynomial-time if 
sums of exponentially many terms could be computed efficiently (where these 
sums must satisfy the requirement that each term is computable in polynomial- 
time). 


5. Show that 


IP = P-Space 
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Figure 2.13 Suspected containment relationships of complexity classes 


where ZP is the set of problems having interactive systems, and 
OTP = P-Space 


where OT? is the set of problems having quantum interactive systems. 

6. It is currently not known if a Quantum Turing Machine (QTM) has more 
computational power than a Probabilistic Turing Machine (PTM). Provide 
evidence to support the statement that quantum computers do not violate the 
Church-Turing Thesis—any algorithmic process can be simulated by a Turing 
machine. 

7. The Church-Turing thesis (CT), from a computability point of view, can be inter- 
preted as that if a function can be computed by an conceivable hardware system, 
then it can be computed by a Turing machine. The Extended Church-Turing 
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thesis (ECT), from a computational complexity point of view, makes the stronger 
assertion that the Turing machine is also as efficient as any computing device can 
be. That is, if a function can be computed by some hardware device in time T(n) 
for input of size n, then it can be computed by a Turing machine in time (T(n))* 
for fixed k, depending on the problem. Do you think ECT is valid for quantum 
computers and for cloud computation? 


2.5 Chapter Notes and Further Reading 


The aim of quantum computational number theory is to use the quantum computa- 
tional approach including e.g., quantum hardware—quantum computers and quantum 
software—quantum algorithms and programs, to solve the difficult number-theoretic 
problems that are hard to solve by classical computers and algorithms, thus quantum 
computation plays an important role in quantum computational number theory. This 
chapter presented the necessary background information for classical and quantum 
computation theories that will be used in the rest of the book. 

Turing’s seminal paper on computable numbers with application to decision 
problem was published in 1936 [45], it is in this paper, he proposed the famous 
Turing machine model. Church’s seminal paper on an unsolved problem in elemen- 
tary number theory was also published in 1936 [7]. So, 1936 is a great year for 
theoretical computer science. Church also wrote a rather length review paper [8] on 
Turing paper [45]. The famous Church-Turing thesis was proposed and formulated 
basically in these three papers. The Cook-Karp thesis was basically proposed 
and formulated in Cook’s 1971 paper [10] and Karp’s 1972 paper [25]. These 
papers, among others, are the founding papers of modern theory of computability 
and computational complexity. There are a huge number of papers and books 
devoted to the theories of computability and complexity, including, e.g., Cook’s 
paper on the P versus N’P problem [11] and Yao’s paper on the Church-Turing 
thesis and the Extended Church-Turing thesis [53]. The standard references in the 
field include Hopcroft, Motwani and Ullman’s classical book [24] (now in its 3rd 
edition), and Garey and Johnson’s book on computational intractability [18]. Other 
excellent and comprehensive books include Lewis and Papadimitrou [28], Linz 
[29], Papadimitrou [33] and Sipser [53] in Chapter 1. More information on number- 
theoretic computation may be found in [9, 13, 14, 19-21, 35] and many others. 

Quantum computation is a new paradigm of computation. Quantum computers 
would speed up some problems by large factors, but not for all problems. In fact, 
as far as we know at present, quantum computation does not violate the Church- 
Turing thesis and quantum computers do not offer more computational power than 
classical computers. The first person to systematically study quantum computation 
is possibly the 1965 Nobel Laureate Richard Feynman (see Feynman [16, 17]). The 
following references provide more information on quantum computing, including 
quantum computability and quantum complexity: [2, 4, 6, 22, 23, 26, 27, 31, 32, 34, 
36-41, 44, 46-48, 50-52]. 
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There is a special section on quantum computation in SIAM Journal, Volume 


26, Number 5, October 1997, with some of the classical papers in the field by 
Bernstein and Vazirani [5] on quantum complexity theory, Simon [42] on the power 
of quantum computation, Shor [37] on polynomial-time quantum algorithms for 
IFP and DLP, Bennett [3] on strengths and weaknesses of quantum computing, and 
Adleman et al. [1] on quantum computability, etc. 
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Chapter 3 
Quantum Algorithms for Integer Factorization 


Anything one man can imagine, other men can make real. 


JULES VERNE (1828-1905) 
French Novelist, Father of Science Fiction 


It is well-known that the most famous and widely used cryptographic system RSA 
relies its security on the intractability of the integer Factorization Problem (IFP), for 
which the inventor of RSA received the year 2002 Turing award, consider as the 
equivalent Nobel Prize in Computer Science. If IFP can be solved in polynomial- 
time, then RSA and many other cryptographic systems can be broken completely 
and efficiently. Surprisingly, in 1994, Shor proposed a quantum algorithm, which 
can solve IPF in polynomial-time. In this chapter, we shall discuss the following 
topics related to quantum factoring: 


1. Classical algorithms for integer factorization; 

2. Factoring based cryptography; 

3. Shor’s quantum factoring algorithm; 

4. Variations (compiled and improved versions) of Shor’s algorithm. 


3.1 Classical Algorithms for Integer Factorization 


3.1.1 Basic Concepts 


There are many methods and algorithms for factoring integers. If we are concerned 
with the determinism of the algorithms, then there are two types of factoring 
algorithms: 


1. Deterministic factoring algorithms; 
2. Probabilistic factoring algorithms. 


However, if we are more concerned with the form and the property of the integers 
to be factored, then there are two types factoring methods or algorithms: 
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1. General purpose factoring algorithms: the running time depends mainly on the 
size of n, the number to be factored, and is not strongly dependent on the size of 
the factor p found. Examples are: 


(1) Lehman’s method [48], which has a rigorous worst-case running time bound 
O (n' / aaa | 

(2) Euler’s factoring method [57], which has deterministic running time 
O (n' / or: 

(3) Shanks’ SQUare FOrm Factorization method (SQUFOF) [79], which has 
expected running time O (n!/ 3 

(4) The FFT-based factoring methods of Pollard and Strassen (see [69, 88]) 
which have deterministic running time O (n'/4t«), 

(5) The lattice-based factoring methods of Coppersmith [19], which has deter- 
ministic running time O (n!/4*¢), 

(6) Shanks’ class group method [78], which has running time O (n'/5*¢), 
assuming the ERH (Extended Riemann’s Hypothesis). 

(7) Continued FRACtion method (CFRAC) [63], which under plausible 
assumptions has expected running time 


O (exp (cVlognloglogn )) -0O { nese rene ) 


where c is a constant (depending on the details of the algorithm); usually 
c= V2 & 1.414213562. 

(8) Quadratic Sieve/Multiple Polynomial Quadratic Sieve (QS/MPQS) [71], 
which under plausible assumptions has expected running time 


O (exp (c/lognloglogn )) -¢O (ener ) 


where c is a constant (depending on the details of the algorithm); usually 
3 
c = —— w~ 1.060660172. 
2/2 


(9) Number Field Sieve (NFS) [50], which under plausible assumptions has the 
expected running time 


O (exp (ci/lognV/(log log n)? )) ; 


where c = (64/9)!/3 = 1.922999427 if GNFS (a general version of NFS) is 
used to factor an arbitrary integer n, whereas c = (32/9)!/3 ~ 1.526285657 
if SNFS (a special version of NFS) is used to factor a special integer n such as 
n=r°+s, where r ands are small, r > | and ¢e is large. This is substantially 
and asymptotically faster than any other currently known factoring method. 


2. Special purpose factoring algorithms: The running time depends mainly on the 
size of p (the factor found) of n. (We can assume that p < ./n.) Examples are: 
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(1) Trial division [46], which has running time © (p(logn)’). 
(2) Pollard’s p-method (see [11, 70]) (also known as Pollard’s “rho” algo- 
rithm), which under plausible assumptions has expected running time 


O (p'/?(logn)?). 

(3) Pollard’s p — 1 method [69], which runs in O(B log B(logn)*), where B is 
the smooth bound; larger values of B make it run more slowly, but are more 
likely to produce a factor of n. 

(4) Lenstra’s Elliptic Curve Method (ECM) [49], which under plausible assump- 
tions has expected running time 


O (exp (cy/logploglogp ) - (logn)*). 


where c ~ 2 is a constant (depending on the details of the algorithm). 


The term O ((log n)’) is for the cost of performing arithmetic operations on 
numbers which are O(logn) or O ((log n)”) bits long; the second can be 
theoretically replaced by O (log n)'*¢) for any € > 0. 


3.1.2 Number Field Sieve Factoring 


A fundamental idea of many modern general-purpose algorithms for factoring 7 is 
to find a suitable pair (x, y) such that 


x” = y’ (mod n) but x # +y (mod n), 


then there is a good chance to factor n: 


1 
Prob(ged(x + y,n) = (f1,f2), 1 <fi,fa <n) > 5 


In practice, the asymptotically fastest general-purpose factoring algorithm is the 
Number Field Sieve, and runs in expect subexponential-time 


O(exp(c(log n)'/3 (log log n)7/)). 


Definition 3.1. A complex number @ is an algebraic number if it is a root of a 
polynomial 


F(%) = aox® + ay! + anx® 7 4+--- +a, =0 (3.1) 


where do, 1, 42,...,ax € Q and ap ¥ O. If f(x) is irreducible over Q and ap # 0, 
then k is the degree of x. 


Example 3.1. Two examples of algebraic numbers are as follows: 


62 3 Quantum Algorithms for Integer Factorization 


1. Rational numbers, which are the algebraic numbers of degree 1. 
2. /2, which is of degree 2 because we can take f(x) = x7 —2 = 0 (V2 is 
irrational). 


Any complex number that is not algebraic is said to be transcendental such as 1 
and e. 


Definition 3.2. A complex number f is an algebraic integer if it is a root of a 
monic polynomial 


+ byt! + box 2 +--- +b, = 0 (3.2) 


where bo, b}, bo, ..., by € Z. 


Remark 3.1. A quadratic integer is an algebraic integer satisfying a monic 
quadratic equation with integer coefficients. A cubic integer is an algebraic integer 
satisfying a monic cubic equation with integer coefficients. 


Example 3.2. Some examples of algebraic integers are as follows: 


1. Ordinary (rational) integers, which are the algebraic integers of degree 1. i.e., 
they satisfy the monic equations x — a = 0 fora € Z. 
2. s/2 and ¥/3, because they satisfy the monic equations x7 —2 = 0 and x3—5 = 0, 
respectively. 
. (-1 + V—3)/2, because it satisfies x2 + x +1 =0. 
4. Gaussian integer a + b\/—1, with a,b € Z. 


1S’) 


Clearly, every algebraic integer is an algebraic number, but the converse is not 
true. 


Proposition 3.1. A rational number r € Q is an algebraic integer if and only if 
reZ. 


Proof. fr € Z, then r is a root of x — r = 0. Thus r is an algebraic integer. Now 
suppose that r € Q and r is an algebraic integer (i.e., r = c/d is a root of (3.2), 
where c,d € Z; we may assume ged(c,d) = 1). Substituting c/d into (3.2) and 
multiplying both sides by d”, we get 


cf + bic !d + boc 7a? «++ + byd® = 0. 


It follows that d | c* and d | c (since ged(c, d) = 1). Again since gced(c, d) = 1, it 
follows that d = +1. Hence r = c/d € Z. It follows, for example, that 2/5 is an 
algebraic number but not an algebraic integer. oO 


Remark 3.2. The elements of Z are the only rational numbers that are algebraic 
integers. We shall refer to the elements of Z as_ rational integers when we need to 
distinguish them from other algebraic integers that are not rational. For example, 
/2 is an algebraic integer but not a rational integer. 
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The most interesting results concerned with the algebraic numbers and algebraic 
integers are the following theorem. 


Theorem 3.1. The set of algebraic numbers forms a field, and the set of algebraic 
integers forms a ring. 


Proof. See pp. 67-68 of Ireland and Rosen [42]. Oo 


Lemma 3.1. Let f(x) is an irreducible monic polynomial of degree d over integers 
and m an integer such that f(m) = 0 (mod n). Let a be a complex root of f(x) and 
Zla] the set of all polynomials in a with integer coefficients. Then there exists a 
unique mapping ® : Z[a] + Z,, satisfying: 


. ®(ab) = D(a) P(b), Va,b € Zia]; 

. P(a+ b) = (a) + H(b), Va,b € Za); 
. ®(za) = zP(a), Va € Zia], z € Z; 

. &(1) = 1; 

. P(a) = m (mod n). 


AB WN 


Now we are in a position to introduce the Number Field Sieve (NFS). Note that 
there are two main types of NFS: NFS (general NFS) for general numbers and SNFS 
(special NFS) for numbers with special forms. The idea, however, behind the GNFS 
and SNFS are the same: 


[1] Find a monic irreducible polynomial f(x) of degree d in Z[x], and an 
integer m such that f(m) = 0 (mod n). 

[2] Let wa € C be an algebraic number that is the root of f(x), and denote the 
set of polynomials in aw with integer coefficients as Z[a]. 

[3] Define the mapping (ring homomorphism): @ : Z[a] + Z, via O(a) = m 
which ensures that for any f(x) € Z[x], we have &(f(a)) = f(m) (mod n). 

[4] Find a finite set U of coprime integers (a, b) such that 


I] (a — ba) = B”, I] (a — bm) = y* 


(a,b)€U (a,b)EU 


for B € Z[a] and y € Z. Let x = &(8). Then 


x = &(B)P(B) 


= (f°) 

=@ I] (a — ba) 
(a,b)€U 

= I] P(a — ba) 


(a,b)EU 


64 3 Quantum Algorithms for Integer Factorization 


= I] (a — bm) 


(a,b)EU 


- (mod n), 


Il 


which is of the required form of the factoring congruence, and hopefully, 
a factor of n can be found by calculating gcd(x + y, n). 


There are many ways to implement the above idea, all of which follow the same 
pattern as we discussed previously in CFRAC and QS/MPQS: by a sieving process 
one first tries to find congruences modulo n by working over a factor base, and 
then do a Gaussian elimination over Z/2Z to obtain a congruence of squares x7 = 


y” (mod n). We give in the following a brief description of the NFS algorithm [62]. 


Algorithm 3.1. Given an odd positive integer n, the NFS algorithm has the 
following four main steps in factoring n: 


[1] (Polynomials selection) Select two irreducible polynomials f(x) and g(x) 
with small integer coefficients for which there exists an integer m such 
that 


f(m) = g(m) = 0 (mod n). 


The polynomials should not have a common factor over Q. 

(Sieving) Let a be a complex root of f and 6 a complex root of g. Find 
pairs (a, b) with gcd(a, b) = 1 such that the integral norms of a — ba and 
a— bp: 


[2 


uu 


N(a— ba) = b**F(a/b), N(a— bB) = b**") g(a/b) 


are smooth with respect to a chosen factor base. (The principal ideals 
a—ba and a—bf factor into products of prime ideals in the number field 
Q(@) and Q(B), respectively.) 

(Linear algebra) Use techniques of linear algebra to find a set U = 
{a;, b;} of indices such that the two products 


[3 


= 


] [@- i). | [i - 2:5) (3.3) 
U U 


are both squares of products of prime ideals. 
[4] (Square root) Use the set S in (3.3) to find an algebraic numbers a’ € 
Q(a@) and B’ € Q(B) such that 


(a)? = | [(ai — bie), (B'? = | [G—-4B). (3.4) 
U U 
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Define 2, : Q(a) > Z, and pg : Q(B) > Z, via Gy(a) = &g(B) = m, where 
m is the common root of both f and g. Then 


x = @,(a’)®,(a’) 


= ,((a')’) 


= %, (He - a) 


ieU 


=y (mod n), 


which is of the required form of the factoring congruence, and hopefully, a 
factor of n can be found by calculating gcd(x + y, n). 


Example 3.3. We first give a rather simple NFS factoring example. Let n = 
14885 = 5-13-229 = 122? + 1. So we put f(x) = x7 + 1 andm = 122, 
such that 


f(x) =f(m) = 0 (mod n). 


If we choose |a], |b] < 50, then we can easily find (by sieving) that (Readers should 
be able to find many such pairs of (q;, b;) in the interval, that are smooth up to e.g. 
29). So, we have 


(a, b) Norm(a+ bi) |a+bm 
(—49, 49) | 4802 =2-74 |5929= 77-11? 


(—41,1) | 1682 =2-29? | 81 = 34 


(49 + 49i)(—41 + i) = (49—211)’, 
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f(49—21i) = 49—21m 
= 49—21-122 
= —2513 > x, 
5929-81 = (27-7-11)? 
= 6937 
> y= 693. 


Thus, 
gcd(x + y,n) = gced(—2513 + 693, 14885) 
= (65, 229). 


In the same way, if we wish to factn = 84101 = 2907 + 1, then we let m = 290, 
and f(x) = x? + 1 so that 


f(x) =f (m) = 0 (mod n). 


We tabulate the sieving process as follows: Clearly, —38 + i and —22 + 197 can 
produce a product square, since 


(—38 + i)(—22 + 19’) = (31 — 12%)’, 
f(31 — 12i) = 31—12m 
= —3449 > x, 


252 - 5488 


(Bia ae ry 


II 


11767, 
> y= 1176, 


ged(x + y,n) = gcd(—3449 + 1176, 84101) 


II 


(2273, 37). 


In fact, 84101 = 2273 x 37. Note that —118 + 1li and 218 + 597 can also produce 
a product square, since 


(—118 + 111)(218 + 59’) = (14 — 163i)”, 
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(a, b) Norm(a + bi) 
50,1 2501 = 41 “61 
50,3 2509 = B - 193 
49,43 4250 = i 53-17 
_38, 1 1445 = _ 17 
S 19 | 845= 13? 
“118,11 14045 eee 


218,59 51005 = 5- 1012 


67 
a+ bm 
eee 
820 = 2? 5-41 


12421 = 12421 


252 = 2?-3°-7 


5488 = 2'-73 
3072 = 2!9.3 


17328 = 24-3-197 


f(14 — 163i) = 14— 163m 


= —47256 > x, 


3071 - 173288 = (27-3-19)? 


II 


72967, 


> y= 7296, 


ged(x + y,n) = gcd(—47256 + 7296, 84101) 


= (37, 2273). 


Example 3.4. Next we present a little bit more complicated example. Use NFS to 
factor n = 1098413. First notice that n = 1098413 = 12-453 + 17°, which is ina 
special form and can be factored by using SNFS. 


[1] (Polynomials selection) Select the two irreducible polynomials f(x) and g(x) 


and the integer m as follows: 
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3 
f@ =x +12=> fm = (z) +12=0 (mod n), 


17 


g(x) = 45x — 17 = > g(m) = 45 (z 


)- 17 = 0 (mod n). 


[2] (Sieving) Suppose after sieving, we get U = {a;, b;} as follows: 
U = {(6,—1), (3,2), (—7, 3), (1, 3), (—2, 5), (—3, 8), (9, 10)}. 


That is, the chosen polynomial that produces a product square can be con- 
structed as follows (as an exercise. readers may wish to choose some other 
polynomial which can also produce a product square): 


[ [it dix) = 6-2) + 2x)(—7 + 3x) (1 + 3x)(—2 + 5x)(—3 + 8x)(9 + 102). 
U 


Let a = /—12 and B = ree Then 


] [tq = ba) = 7400772 + 11382360 — 10549a? 
U 


= (2694 + 213a — 28a)? 
_ (5610203 
~ \ 2025 


= 270729, 


28 . 112. 137. 232 
| [@->8) = 312.54 
U 


_ (52624\* 
~ (18225 


= 875539". 


So, we get the required square of congruence: 
270729" = 8755397 (mod 1098413). 
Thus, 


gcd(270729 + 875539, 1098413) = (563, 1951). 
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That is, 
1098413 = 563-1951. 


Example 3.5. We give some large factoring examples using NFS. 


1. SNFS examples: One of the largest numbers factored by SNFS is 
n = (12! + 1)/13 = prs « Pros. 


It was announced by P. Montgomery, S. Cavallar and H. te Riele at CWI in 
Amsterdam on 3 September 1997. They used the polynomials f(x) = x° — 144 
and g(x) = 12°3x + 1 with common root m = 12!*4 (mod n). The factor base 
bound was 4.8 million for f and 12 million for g. Both large prime bounds 
were 150 million, with two large primes allowed on each side. They sieved over 
la| < 8.4 million and 0 < b < 2.5 million. The sieving lasted 10.3 calendar 
days; 85 SGI machines at CWI contributed a combined 13027719 relations in 
560 machine-days. It took 1.6 more calendar days to process the data. This 
processing included 16 CPU-hours on a Cray C90 at SARA in Amsterdam to 
process a 1969262 x 1986500 matrix with 57942503 nonzero entries. The other 
large number factorized by using SNFS is the 9th Fermat number: 


Fy = 2” +1 = 25!? 4 1 = 2424833 - pag - pos, 


a number with 155 digits; it was completely factored in April 1990. The most 
wanted factoring number of special form at present is the 12th Fermat number 


Fy. = ae ae 
we only know its partial prime factorization: 
Fiy = 114689- 26017793 - 63766529: 190274191361 - 1256132134125569- c1187 


and we want to find the prime factors of the remaining 1187-digit composite. 
2. GNFS examples: 
RSA-130 (130 digits, 430 bits) 
= 180708208868740480595 1656164405905566278 1025167694013491 
70127021450056662540244048387341 1275908 1230337178 1887966 
563182013214880557 
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= 396859994595974542901611261628837860675764491 128 10064832 
555157243 
x 
45534498646735972188403686897274408864356301263205069600 
999044599. 


RSA-140 (140 digits, 463 bits) 
= 2129024631825875754749788201627151749780670396327721627 
823338321538194998405649591 13665738530219183 16783107387 
99531723088956923087344 1936471 
= 3398717423028438554530123627613875835633986495969597423 
490929302771479 
x 
62642001874012850961516549482644422 1 9302037178623509019 
111660653946049. 


RSA-155 (155 digits, 512 bits) 

= 1094173864157052742180970732204035761200373294544920599 
0913842131476349984288934784717997257891267332497625752 
89978 1833797076537244027 14674353 1593354333897 

= 102639592829741 1057720541 965739916759007165678080380668 
03341933521790711307779 

x 

= 2129024631825875754749788201627151749780670396327721627 
1066034883801684548209272203600128786792079585759892915 
22270608237 193062808643. 


RSA-576 (174 digits, 576 bits) 
= 18819881292060796383869723 9461650439807 16356337941738 
27007633564229888597 152346654853 1 90606065047430453173 
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88011303396716199692321205734031879550656996221305168 
759307650257059 
= 398075086424064937397 125500550386491 19906436234252670 
8406385 189575946388957261768583317 
x 
47277214610743530253622307197304822463291469530209711 
6459852171130520711256363590397527. 


RSA-640 (193 digits, 640 bits) 
= 31074182404900437213507500358885679300373460228427275 
457201619488232064405 1808 150455634682967 1723286782437 
91627283803341547107310 
= 1634733645809253848443 13388386509085984 1 7836700330923 
12181110852389333100104508151212118167511579 


x 
= 190087128 16648221131268515739354139754718967899685 154 
93666638539088027103802104498957191261465571. 


RSA-663 (200 digits, 663 bits) 

= 27997833911221327870829467638722601621070446786955428 
537560009929326 128400 10760934567 105295536085606182235 
19109513657886371059544820065767750985805576135790987 
34950144178863 178946295 187237869221823983 

= 3532461934402770121272604978 1 98464368671 1974001976250 
23649303468776121253679423200058547956528088349 

x 

79258699544783330333470858414800596877379758573642199 
607343303414557678728 1815213538 1409304740185467 
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RSA-704 (212 digits, 704 bits) 

= 74037563479561712828046796097429573 142593 18888923128 
908493623263897276503402826627689 19964 19625117843995 
894330502127585370118968098286733 173273 1089309005525 
051168770632990723 963807867 1008609696253793465056379 
6359 

= 90912135295978188784406583026004374858 926083 10328358 
7204285 1216896041 15286409333678249507883679567568061 
41 

x 

81438592591 10045265727809126284429335877899002 167627 
8832009141724293243601330041167020032408287779702524 
99. 


RSA-768 (232 digits, 768 bits) 

= 123018668453011775513049495838496272077285356959533 
47921973224521517264005072636575 18745202 19978646938 
9956474942774063845925 1 9255732630345373154826850791 
702612214291346167042921431160222124047927473779408 
0665351419597459856902143413 

= 33478071698956898786044 1698482126908 177047949837137 
6856891243 13889828837938780022876147 1 16525317430877 
378 14467999489 

x 

36746043666799590428244633799627952632279158 1643430 
876426760322838 157396665 112792333734171433968 102700 
92798736308917. 


Remark 3.3. Prior to the NFS, all modern factoring methods had an expected 
running time of at best 


O (exp ((¢ + o(1)) Viognlogiogn J). 
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For example, Dixon’s random square method has the expected running time 


O (exp ((v2 + o(1)) /logn log logn )) ; 


whereas the Multiple Polynomial Quadratic Sieve (MPQS) takes time 


O (exp ((1 + 0(1)) Vioglogn/Togn )). 


Because of the Canfield-Erdés-Pomerance theorem, some people even believed that 
this could not be improved, except maybe for the term (c + o(1)), but the invention 
of the NFS has changed this belief. 


Conjecture 3.1 (Complexity of NFS). Under some reasonable heuristic assump- 
tions, the NFS method can factor an integer n in time 


O (exp ((c + o(1)) VlognV/(oglogn)? )). 


where c = (64/9)!/3 = 1.922999427 if GNFS is used to factor an arbitrary integer 
n, whereas c = (32/9)!/3 = 1.526285657 if SNFS is used to factor a special 
integer n. 


3.1.3 p-Factoring Method 


Although NFS is the fastest method of factoring at present, other methods are also 
useful, one of the particular method is the p-factoring method [70]; surprisingly it 
is the method that is applicable for all the three infeasible problems, IFP, DLP and 
ECDLP discussed in this book. 
p uses an iteration of the form 

Xo = random(0, n— 1), 

x; =f (xi-1) (mod n), i= 1,2,3,... 
where xo is a random starting value, n is the number to be factored, and f € Z[x] is a 
polynomial with integer coefficients; usually, we just simply choose f(x) = x” + a 
with a # —2,0. If p is prime, then the sequence {x; mod p};59 must eventually 


repeat. Let f(x) = x7 + 1,x9 = 0, p = 563. Then we get the sequence {x; mod p}js0 
as follows: 


Xp = 0, 

=a $1 = 1, 
x =x, t1=2, 
= OH+1=5, 


x4 = x4 +1 = 26, 
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x5 = xp +1= 114, 

Xe =xZ+1 = 48, 

x7 = x2 +1 = 53, 

xg = 1x5 + 1 = 558, 

xo = xe t1 = 26. 
That is, 


0,1, 2,5, 26, 114, 48, 53,558. 


This sequence symbols a diagram, looks like the Greek letter p (Figure 3.1). As an 
exercise, readers may wish to find the p cycle modulo 1951 using f(x) = x* + 1 and 
xo = 0. Of course, to factor n, we do not know its prime factors before hand, but we 
can simply modulo n (justified by the Chinese Remainder Theorem). For example, 
to factor n = 1098413 = 563 - 1951, we perform (all modulo 1098413): 


xo = 0, Yi = Xi gced(x; — yi, 2) 


xy =xytl=1, 


mH +1 =2, y= =2 gcd(1 —2,n) = 1 


Figure 3.1 p cycle modulo 563 using f(x) = x7 + 1 and xp = 0 
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x3 =x +1=5, 


x4 = x4 +1 = 26, yo = X4 = 26 gcd(2 — 26,n) = 1 
xs = a +1= 677 
= 114, 
a ie + 1 = 458330 
= 48, y3 = X6 = 458330 gcd(5 — 458330, n) = 1 
7 = xe +1 = 394716 
= §3, 
xg = hs + 1 = 722324 
= 558, y4 = Xg = 722324 gcd(26 — 722324,n) = | 
Xo = ae +1 = 293912 
= 26, 
x19 = Er + 1 = 671773 
= 114 ys = X19 = 671773 gced(677 — 671773, n) = 563. 


The following algorithm is an improved version of Brent [11] over Pollard’s 
original p-method. 


Algorithm 3.2 (Brent-Pollard’s p-Method). Let be a composite integer 
greater than 1. This algorithm tries to find a nontrivial factor d of n, which is 
small compared with ./n. Suppose the polynomial to use is f(x) = x7 + 1. 


[1] (Initialization) Choose a seed, say x) = 2, a generating function, say 
f(x) = x? +1 (mod n). Choose also a value for t not much bigger than 
Jd, perhaps t < 100VJd. 

[2] (Iteration and computation) Compute x; and y; in the following way: 


x, = f(x0), 
x2 = f(F%o)) =f), 
x3 = f(F(f(%o))) =fFO1)) = f@2), 


Xi = f@-1), 


y= =f) =f(Fo)) =fFOo)), 
yo = x4 = f (x3) = f(F02)) = fF), 


716 3 Quantum Algorithms for Integer Factorization 


y3 = X6 = f (xs) =f(F (x4) =fFO2)), 


Yi = X23 = fF Oi-1)), 


and simultaneously compare x; and y; by computing d = gcd(x; — y;, n). 

[3] (Factor found?) If 1 < d <n, then d is a nontrivial factor of n, print d, and 
go to Step [5]. 

[4] (Another search?) If x; = y; (mod n) for some i ori > ./t, then go to Step 
[1] to choose a new seed and a new generator and repeat. 

[5] (Exit) Terminate the algorithm. 


The p algorithm has the conjectured complexity: 


Conjecture 3.2 (Complexity of the p-Method). Let p be a prime dividing n and 
p = O(./p), then the p-algorithm has expected running time 


O(./P) = OP (logn)*) = O(n'/*(log n)’) 
to find the prime factor p of n. 


Remark 3.4. The p-method is an improvement over trial division, because in trial 
division, O(p) = O(n'/*) divisions is needed to find a small factor p of n. But 
of course, one disadvantage of the p-algorithm is that its running time is only a 
conjectured expected value, not a rigorous bound. 


Problems for Section 3.1 


1. Explain why general purpose factoring algorithms are slower than special 
purpose factoring algorithms, or why the special numbers are easy to factor 
than general numbers. 

2. Show that 


(1) addition of two logn bit integers can be performed in O(logn) bit opera- 
tions; 

(2) multiplication of two logn bit integers can be performed in O((logn)!**) 
bit operations. 


3. Show that 


(1) assume the Extended Riemann Hypothesis (ERH), there is deterministic 
algorithm that factors n in O(n'/>+*) steps; 

(2) FFT (Fast Fourier Transform) can be utilized to factor an integer n in 
O(n'/4+¢) steps; 

(3) give two deterministic algorithms that factor integer n in O(n'/3**) steps. 


4. Show that if P = NP, then IFP € P. 


3.1 


Nn 
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. Prove or disprove that IFP € \/P-Complete. 
. Extend the NFS (Number Field Sieve) to FFS (Function Field Sieve). Give a 


complete description of the FFS for factoring large integers. 


. Let x; = f(q-1), 1 = 1,2,3,.... Let also t,u > O be the smallest numbers in 


the sequence %4; = X4+u+i, 1 = 0,1,2,..., where ¢ and u are called the lengths 
of the p tail and cycle, respectively. Give an efficient algorithm to determine ¢ 
and u exactly, and analyze the running time of your algorithm. 


. Find the prime factorization of the following RSA numbers, each of these 


numbers has two prime factors. 


(1) RSA-896 (270 digits, 896 bits) 

41202343698665954385553 1365332575948 1798 1 16998443279828454556 
26433876445565248426 198098870423 161841879261420247 18886949256 
093 1776375033421 130982397485 150944909 10691026986 1031862704114 
88086697056490290365365886743373 17208 13 104105 1908642547932826 
01391257624033946373269391, 


(2) RSA-1024 (309 digits, 1024 bits) 

1350664 1086599522334960321627880596993888 1475605667027524485 1 
4385 15265 10604859533833940287 15057190944 179820728216447155137 
3680419703964 19174304649658927425623934 1020864383202 110372958 
725762358509643 1 10564073501508 1875 106765946292055636855294752 
135008528794 163773285339061097505443349998 1 1 15005697723689092 
7563, 


(3) RSA-1536 (463 digits, 1536 bits) 

184769970321 17414743068356202001644030185493386634 10171471785 
77491065 16967111612498593376843054357445856 1606154457 17940522 
2971773252466096064694607 124962372044202226975675668737842756 
2389508764678440933285 1574965788434 15088475528298 18672645 1339 
86336493 190808467 199043 187438 12833635027954702826532978029349 
161558118810498449083 1954500984839377522725705257859 194499387 
00736957556884369338 127796 1308923039256969525326 1620823676490 
31603655 13714479 13932347 169566988069, 


(4) RSA-2048 (617 digits, 2048 bits) 
25195908475657893494027 18324004839857 1429282 12620403202777713 
78360436620207075955562640185258807844069 1829064 12495 15082189 
298559 149176184502808489 12007284499268739280728777673597 14183 
4727026189637501497 182469 1 1650776 1337985909570009733045974880 
8428401797429 10064245869 18171951187461215151726546322822 16869 
987549 182422433637259085 141865462043576798423387 1847744479207 
3993423658482382428 1 1981638 150106748 1045 166037730605620161967 
6256133844 1436038339044 14952634432190114657544454178424020924 
6165 157233507787077498 171257724679629263863563732899 121548314 
3816789988504044536402352738195 137863656439 121201039712282212 
0720357. 
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9. Try to complete the following prime factorization of the smallest unfactored 
(not completely factored) Fermat numbers: 


Pee? 1 
= 114689 - 26017793 - 63766529 - 190274191361 - 
1256132134125569 - c1ig7, 


Peso 4] 
= 2710954639361 - 2663848877152141313 - 36031098445229199 - 
31954602082055 1643220672513 - cr301, 


| pm eae | 


= C4933, 


Fis =2 +1 
= 1214251009 - 2327042503868417 - 
1687688 17029516972383024127016961 - cogog, 


Fie= 2 +1 

= 825753601 - 1889817579750213 18420037633 - cjo694, 
Fp = 2? +1 

= 31065037602817 - c3o444, 
Fig = 22" +1 

= 13631489 - 81274690703860512587777 - c7sgga, 
Fi =2? +1 

= 70525124609 - 646730219521 - c157804, 
Po ee 92° ac 

= €3156535 
Fy =? +1 

= 4485296422913 - c631294, 
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10. 


11. 


12. 


Fo =P? 41 
= C1262612; 
Fy = 2? +1 


= 167772161 - C2525215; 


24 
F4 = ? a 1 
= C5050446- 


Basically, you are asked to factor the unfactored composite numbers, denoted 
by cx, of the Fermat numbers. For example, in Fj, C117 1s the unfactored 1187 
digit composite. 

Both ECM (Elliptic Curve Method) factoring algorithm and NFS (Number 
Field Sieve) factoring algorithm are very well suited for parallel implemen- 
tation. Is it possible to utilize the quantum parallelism to implement ECM and 
NFS algorithms? If so, give a complete description the quantum ECM and NFS 
algorithms. 

Pollard [69] and Strassen [88] showed that FFT can be utilized to factor an 
integer n in O(n!/4**) steps, deterministically. Is it possible to replace the 
classical FFT with a quantum FFT in the Pollard-Strassen method, in order 
to obtain a deterministic quantum polynomial-time factoring algorithm (i.e., to 
obtain a OP factoring algorithm rather than the BOP algorithm as proposed 
by Shor)? If so, give a full description of the OP factoring algorithm. 

At the very heart of the Pollard » method for IFP lives the phenomenon of 
periodicity. Develop a quantum period-finding algorithm, if possible, for the p 
factoring algorithm. 
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All the existing factoring algorithms up to date, such the NFS and the p-method, 
are all inefficient, and cannot be run in polynomial-time. This unreasonable effec- 
tiveness of factoring makes it useful for constructing unbreakable cryptography. 
In fact, the most famous and widely used RSA cryptographic system is the first 
factoring based cryptographic system, for which its three inventors, Rivest, Shamir 
and Adleman received the 2002 Turing award. Note that RSA is also the world’s first 
public-key cryptographic system. The security of RSA and other factoring based 
cryptographic systems relies heavily on the intractability of the integer factorization 
problem. Anyone who can solve the integer factorization problem in polynomial- 
time, can break the RSA cryptographic system in polynomial-time. In this section, 
we introduce the basic idea of the unbreakable RSA cryptographic system. 
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Public/Insecure Channel Eve (Cryptanalyst) 
C>M'=M 


Plaintext 


Plaintext Encryption Decryption 


C= M® (mod n) Ciphertext M = C4 (mod n) 
C 
Bob Alice 
o : 
(Senden (Receiver) 
(e,d,nyek | 


Figure 3.2 RSA public-key cryptography 


Definition 3.3. The RSA public-key cryptosystem may be formally defined as 
follows (depicted in Figure 3.2): 


RSA = (M,C,K,M,C,e,d,n,E,D) 


where 


. M is the set of plaintexts, called the plaintext space. 

. C is the set of ciphertexts, called the ciphertexts space. 

. Kis the set of keys, called the key space. 

. M € Misa piece of particular plaintext. 

. C € Cisa piece of particular ciphertexts. 

. N = pq is the modulus with p, g prime numbers, usually each with at least 100 
digits. 

7. {(e,n), (d,n)} € K with e # d are the encryption and encryption keys, 

respectively, satisfying 


Nn BWN 


ed = | (mod ¢(n)), 


where @(n) = (p—1)(q—1) is the Euler d-function and defined by @(n) = #(Z*), 
the number of elements in the multiplicative group Z7. 
8. E is the encryption function 


Een: MBC. 
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That is, M € M maps to C € C, using the public-key (e, 7), such that 
C = M (mod n). 
9. D is the decryption function 
Dani Cree M. 
That is, C € C maps to M € M, using the private-key (d,), such that 
M = C4 = (M°)4 (mod n). 


The idea of RSA can be best depicted in Figure 3.3. 


Theorem 3.2 (The Correctness of RSA). Let M,C,n,e,d be plaintext, cipher- 
texts, encryption exponent, decryption exponent, and modulus, respectively. Then 


(M°)4 = M (mod n). 
Proof. Notice first that 


Ct = (M°)! (mod n) (since C = M®* (mod n)) 
= M'**6™ (mod n) (since ed = 1 (mod ¢(n))) 


Alice chooses primes p, q¢ 
such that n = pq 
and ed = 1 (mod (p — 1)(q—1)) 


(e,n) public 


Alice Bob 


Figure 3.3, RSA encryption and decryption 
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= M-M*?™ (mod n) 

= M- (M?)* (mod n) 

= M.-(1)* (mod n) (by Euler’s Theorem a?” = 1 (mod n)) 
=M 


The result thus follows. oO 


Both encryption C = M° (mod n) and decryption M = C4 (mod n) of RSA can 
be implemented in polynomial-time by the fast exponentiation method. For example 
the RSA encryption can be implemented as follows: 


Algorithm 3.3. Given (e,M,n), this algorithm finds C = M* (mod n), or 
given (d,C,n), finds M = C4 (mod n) in time polynomial in loge or logd, 
respectively. 


Encryption: Description: 
Given (e, M,n) to find C Given (d, C,n) to find M 
SetC <1 Set M< 1 
While e > 1 do While d > 1 do 
if e mod 2 = 1 if d mod 2 = 1 
then C << C-M modn then M << M-Cmodn 
M <M modn C<C? modn 
e< |e/2| d<|d/2| 
Print C Print M 


Remark 3.5. For the decryption process in RSA, as the authorized user knows d and 
hence knows p and q, thus instead of directly working on M = C4 (mod n), he can 
speed up the computation by working on the following two congruences: 


M, = ct = Cd mod p-1 (mod p) 
M, = eect (od q) 


and then use the Chinese Remainder Theorem to get 


M=M,-4q-¢' mod p+ M,-p-p | mod q (mod n). 

The Chinese Remainder Theorem is a two-edged sword. On the one hand, it 
provides a good way to speed up the computation/performance of the RSA 
decryption, which can even be easily implemented by a low-cost crypto-chip [38]. 
On the other hand, it may introduce some serious security problems vulnerable to 
some side-channel attacks, particularly the random fault attacks. 
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Example 3.6. Let the letter-digit encoding be as follows: 


space = 00,A = 01,B = 02,...,Z2 = 26. 


(We will use this digital representation of letters throughout the book.) Let also 


e = 9007, 
M = 2008050013010709030023 151804190001 18050019172105011309 
190800151919090618010705, 
n = 11438162575788886766923577997614661201021829672 1242362 
562561842935706935245733897830597123563958705058989075 
147599290026879543541. 


Then the encryption can be done by using Algorithm 3.3: 


C= M 
= 96869613754622061477140922254355882905759991 1245743198 
746951209308 16298225 14570835693 1476622883 9896280133919 
90551829945157815154 (mod n). 


For the decryption, since the two prime factors p and qg of n are known to the 
authorized person who does the decryption: 


P = 34905295 10847650949147849619903898 1334177646384933878 


43990820577, 
4 = 32769132993266709549961 988 1 90834461413177642967992942 
539798288533, 
then 
d= Il/e 


= 106698614368578024442868771328920154780709906633 937862 
= 80122622449663 106312591 1774470873340 168597462306553968 
= 544513277109053606095 (mod (p — 1)(q — 1)). 
Thus, the original plaintext M can be recovered either directly by using Algo- 


rithm 3.3, or indirectly by a combined use of Algorithm 3.3 and the Chinese 
Remainder Theorem: 
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= 200805001301070903002315180419000118050019172105011309 
190800151919090618010705 (mod n), 


which is “THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE”. 


Remark 3.6. Prior to RSA, Pohlig and Hellman in 1978 [67] proposed a secret- 
key cryptography based on arithmetic modulo p, rather than n = pq. The Pohlig- 
Hellman system works as follows: Let M and C be the plaintext and ciphertext, 
respectively. Choose a prime p, usually with more than 200 digits, and a secret 
encryption key e such that e € Zt and e < p—2. Compute d = 1/e (mod (p—1)). 
p and of course d must be kept as a secret. 


[1] Encryption: 
C = M (mod p). 


This process is easy for the authorized user: 


{M.e,p} —~—> {C= M* (mod p)}. 


[2] Decryption: 
M = C4 (mod p). 


For the authorized user who knows (e, p), this process is easy, since d can be 
easily computed from e. 

[3] Cryptanalysis: The security of this system is based on the infeasibility of the 
Discrete Logarithm Problem. For example, for a cryptanalyst who does not 
know e or d would have to compute: 


e = logy C (mod p). 


Remark 3.7. One of the most important features of RSA encryption is that it can 
also be used for digital signatures. Let M be a document to be signed, and n = 
pq with p,q primes, (e,d) the public and private exponents as in RSA encryption 
scheme. Then the processes of RSA signature signing and signature verification are 
just the same as that of the decryption and encryption; that is use d for signature 
signing and e signature verification as follows (see also Figure 3.4): 


[1] Signature signing: 
S = M4 (mod n). 


The signing process can only be done by the authorized person who has the 
private exponent d. 
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Alice chooses primes p, q 
such that n = pq 
and ed= 1 (mod ¢(n) 


(e,n) public 


Alice Bob 
S = M¢ (mod n) 


M = S®© (mod n) 


Figure 3.4 RSA digital signature 


(2] Signature verification: 
M =S° (mod n). 


This verification process can be done by anyone since (e, n) is public. 


Of course, RSA encryption and RSA signature can be used together to obtain a 
signed encrypted document to be sent over an insecure network. 


As can be seen, the whole idea of the RSA encryption and decryption is as 
follows: 


C = M* (mod n), 
M = C4 (mod n), 


where 


ed = 1 (mod ¢(n)), | 


n =pq with p,q € Primes. 
Thus, the RSA function can be defined by 


FRSA :M te M*% mod n. 
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The inverse of the RSA function is then defined by 
fasa .M° +> M mod n. 
Clearly, the RSA function is a one-way trap-door function, with 


{d.p.4q,9(n)} (3.5) 


the RSA trap-door information. For security purposes, this set of information must 
be kept as a secret and should never be disclosed in anyway even in part. Now 
suppose that Bob sends C to Alice, but Eve intercepts it and wants to understand it. 
Since Eve only has (e, n, C) and does not have any piece of the trap-door information 
in (3.5), then it should be infeasible/intractable for her to recover M from C: 


{e,n,C = M° (mod n)} ace {M = C4 (mod n)}. 


On the other hand, for Alice, since she knows d, which implies that she knows all 
the pieces of trap-door information in (3.5). As 


P P P 
{2} = (i — ta — {do}. 
SO, it is easy for Alice to recover M from C: 


dp.q.o(n 
tn CS Cand hs i = tnd a 
easy 


Why is it hard for Eve to recover M from C? This is because Eve is facing a hard 
computational problem, namely, the RSA problem [76]: 


The RSA problem: Given the RSA public-key (e,) and the RSA ciphertext C, find the 
corresponding RSA plaintext M. That is, 
{e,n, C} ——— {M}. 


It is conjectured although it has never been proved or disproved that: 


The RSA conjecture: Given the RSA public-key (e, n) and the RSA ciphertext C, it is hard 
to find the corresponding RSA plaintext M. That is, 


{e,n, C} —_s {M}. 


But how hard is it for Alice to recover M from C? This is another version of the RSA 
conjecture, often called the RSA assumption, which again has never been proved or 
disproved: 


The RSA assumption: Given the RSA public-key (e,) and the RSA ciphertext C, then 
finding M is as hard as factoring the RSA modulus n. That is, 
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IFP(n) <> RSA(M) 


provided that n is sufficiently large and randomly generated, and M and C are random 
integers between 0 and n — 1. More precisely, it is conjectured (or assumed) that 


IFP(n) <> RSA(M). 


That is, if n can be factorized in polynomial-time, then WM can be recovered from 
C in polynomial-time. In other words, cryptoanalyzing RSA must be as difficult as 
solving the IFP problem. But the problem is, as we discussed previously, that no- 
one knows whether or not IFP can be solved in polynomial-time, so RSA is only 
assumed to be secure, not proved to be secure: 


IFP(n) is hard —> RSA(M) is secure. 


The real situation is that 
J 
IFP(n) => RSA(M), 
2 
IFP(n) <= RSA(M). 


Now we can return to answer the question that how hard is it for Alice to recover 
M from C. By the RSA assumption, cryptanalyzing C is as hard as factoring n. The 
fastest known integer factorization algorithm, the Number Field Sieve, runs in time 


O(exp(c(log n) ve (log log n)7)) 


where c = (64/9)!/? if a general version of NFS, GNFS, is used for factoring an 
arbitrary integer n whereas c = (32/9)!/ if a special version of NFS, SNFS, is 
used for factoring a special form of integer n. As in RSA, the modulus n = pg is 
often chosen be a large general composite integer n = pq with p and g the same 
bit size, which makes SNES is not useful. This means that RSA cannot be broken 
in polynomial-time, but in subexponential-time, which makes RSA secure, again, 
by assumption. Thus, readers should note that the RSA problem is assumed to be 
hard, and the RSA cryptosystem is conjectured to be secure. 
In the RSA cryptosystem, it is assumed that the cryptanalyst, Eve 


1. knows the public-key {e, n} with n = pq and also the ciphertext C, 
2. does not know any one piece of the trap-door information {p, q, ¢(n), d}, 
3. wants to know {M}. 


That is, 


Eve wants to find 


{e,n, C = M® (mod n)} ———————_>_ {M}- 
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Obviously, there are several ways to recover M from C (i.e., to break the RSA 
system): 


1. Factor n by using say, e.g., QS/MPQS or NFS to find its prime factors {p, q} so 
as to compute 


M = Cl/e (mod (p~D(q-)) (mod n). 
2. Find ¢(n) so as to compute 
M= cl/e (mod ¢(n)) (mod n). 


3. Find order(a, n), by using Shor’s quantum algorithm in the next section, the order 
of a random integer a € [2, — 2] modulo 2, then try to find 


{p,q} = ged(a/? + 1,n) and M = C1/¢ (mod —DG~)) (mod n). 


4. Find order(C, n), the order of C modulo n, so as to compute 
M= ci/e (mod_ order(C,n)) (mod n) 


5. Compute log, M (mod n), the discrete logarithm M to the base C modulo n in 
order to find 


M= Cec (mod _ n) (mod n). 


As can be seen from the previous sections, RSA uses M° for encryption, with 
e > 3 (3 is the smallest possible public exponent in RSA); in this way, we might 
call RSA encryption M® encryption. In 1979, Michael Rabin [73] proposed a scheme 
based on M? encryption, rather than the M° for e > 3 encryption used in RSA. 
A brief description of the Rabin cryptosystem is as follows (see also Figure 3.5). 


[1] Key generation: Let n = pq with p, qg odd primes satisfying 
Pp =q=3 (mod 4). 
[2] Encryption: 
C = M’ (mod n). 


[3] Decryption: Use the Chinese Remainder Theorem to solve the system of 
congruences: 


M, = JC (mod p) 
M,= JC (mod q) 


to get the four solutions: {+M,, +M,}. The true plaintext M will be one of these 
four values. 
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Alice chooses primes p,q such that 
p=q=3 (mod 4) 
(p,q) secret 


Alice Bob 


M, = VC (mod p) 
M, = VC (mod q) 
M= {+Mp, +Mg} 


Figure 3.5 Rabin cryptosystem 


[4] Cryptanalysis: A cryptanalyst who can factor n can compute the four square 
roots of C modulo n, and hence can recover M from C. Thus, breaking the Rabin 
system is equivalent to factoring n. 


Example 3.7. Let M = 31. 
[1] Key generation: Let n = 11 - 19 be the public-key, but keep the prime factors 
p = \landq = 19 of nasa secret. 
[2] Encryption: 
C = 31? = 125 (mod 209). 
[3] Decryption: Compute 
M, = V 125 = £2 (mod p) 
M, = V125 = +7 (mod q). 


Now use the Chinese Remainder Theorem to solve 


M = 2 (mod 11) 
=> M = 178 
M = 7 (mod 19) 


M = —2 (mod 11) 
=> M = 64 


M =7 (mod 19) 
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M = —2 (mod 11) 

M = 145 
M = 7 (mod 19) 
M = —2 (mod 11) 

M =31. 
M = —7 (mod 19) 


The true plaintext M will be one of the above four values, and in fact, M = 31 
is the true value. 


Unlike the RSA cryptosystem whose security was only conjectured to be 
equivalent to the intractability of IFP, the security of Rabin system and its variant 
such as Rabin-Williams system is proved to be equivalent to the intractability of IFP. 
First notice that there is a fast algorithm to compute the square roots modulo n if 
n = pq is known. Consider the following quadratic congruence 


x° = y (mod p), 


there are essentially three cases for the prime p: 


1. p = 3 (mod 4), 
2. p = 5 (mod 8), 
3. p = | (mod 8). 


All three cases may be solved by the following process: 


p+1 
ifp=3(mod4),x=+y 4 (modp), 
p+l 
ify 4 =1, x=+4y ae (mod p) 
if p = 5 (mod 8), 
ptl p-—5 


ify 4 #1, x=+2y(4y) 8 (mod p). 


Problems for Section 3.2 


1. The RSA function M +> C mod nis a trap-door one-way, as it is computationally 
intractable to invert the function if the prime factorization n = pq is unknown. 
Give your own trap-door one-way functions that can be used to construct public- 
key cryptosystems. Justify your answer. 

2. Show that 


M = M“ (mod n), 


where ed = | (mod ¢(n)). 
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3. Let the ciphertexts Cj = Mj (mod n) and C; = Ms (mod n), be as follows, 
where and n is the following RSA-129 number: 

e = 9137, 

Ci = 46604906435060096392391 122387112023736039163470082768 
24341038329668507346202721798200029792506708833728356 
7804532383891 140719579, 

C2 = 650640969385 1106974152831334247539664897855 1735813836 
7771963503738 14720928779386178787818974157439185718360 
8196124160093438830158, 

n = 11438162575788886766923577997614661201021829672124236 
25625618429357069352457338978305971235639587050589890 
75147599290026879543541. 

Find M, and M). 
4. Let 

e, = 9007, 

é2 = 65537, 

n = 1143816257578888676692357799761 466120102 1829672 1242362 
562561842935706935245733897830597123563958705058989075 
147599290026879543541, 

C,; = M" (mod n) 

= 104202250941 19623841363838260797412577444908472492959 
125743374588926529777171718241302464293807835 19790899 
45343407464161377977212, 

C, = M®? modn 

= 764527507291887001807 199705 175445747 109447573 17909896 
041340987488285573 19028078348030908497802 156339649075 
97506005 19496071304348. 


Find the plaintext M. 
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5. (Rivest) Let 
k = 27 (mod n), 


where 


n = 6314466083072888893799357 12613 12923323632988 
18330841375588990772701957128924885547308446 
0557532065 1361834662884894808866350036848039 
658817136198766052 18972678 101622805574753938 
3830826175971321892666861 177695452639 1570120 
6909399736800897212744646664233 1918780683055 
206795 125307008202024 12462339824 107377537051 
27344494 169501 18097524 1890667963858754856319 
805507273709904397 1 197336 1466670154390536015 
25433739825245793 135753 1765364633 198906465 14 
0213398526580034 1991903982 1928447 10212464887 
4593888535820703 180842890232097 1090703239693 
49 199627789953233201840645224764639663559373 
670093692 12758092086293 19872700829243 1243681, 


t = 79685186856218. 


Find k. (Note that to find k, one needs to find 2’ (mod ¢(n)) first, however, to 
find @(n) one needs to factor n first.) 
6. (Knuth) Let 


{C1, Co} = {M}, M3} mod n, 
where 


C, = 6875028364370892898789953506044079907 16898 140258583443 
03553558823747927 108009029304963056665 1268 1 12334056274 
332612142823187203731181519639442616568998924368271227 
5123771458797372299204 12575302366595487564 1382171, 


Cy = 713013988616927464542046650358646224728216664013755778 
56722321979701159322084955786424970377533 1317377532696 
5348797392018688875678295 1 903268 16326888 1275006025 1822 
388446286615758360493 16280566866996833345 19294663, 


n = 77903022885 1015954236247565470557836248576762097398394 
108440222213572872511709998585048387648 13 1944340510932 
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265 1368151685741 19934775586854274094225644500087912723 
258574933706185395834027843405820888 1085485078737. 


Find {M,, M>}. (Note that there are two known ways to find {M,, M>}: 
M; = VC; (mod n), 
M; = CG (mod n), 


where i = 1, 2. But in either way, one needs to find n first.) 
7. The original version of the RSA cryptosystem: 


C=M° (modn), M = C* (mod n), 
with 
ed = | (mod ¢(n)) 


is a type of deterministic cryptosystem, in which the same ciphertext is obtained 
for the same plaintext even at a different time. That is, 


Encryption at Time 1 


M, —————————> C 


Encryption at Time 2 


M, ——————— Ci, 


Encryption at Time ¢ 


M, ———————. C . 


A randomized cryptosystem is one in which different ciphertext is obtained at a 
different time even for the same plaintext 


Encryption at Time | 


M, ———————— Ci, 


Encryption at Time 2 


M, ———————— C2, 


Encryption at Time t¢ 


M, ———————> C;, 


with C) # Cy # --- # C;. Describe a method to make RSA a randomized 
cryptosystem. 

8. Show that if IFP can be solved in polynomial-time, then RSA can be broken in 
polynomial-time. 
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9. Let 


n = 212902463182587575474978820 162715 17497806703 963277216278233 
3832 15384705704 13250102890108976982548 19258255 1350925260960 
2369983944024335907529, 

C = M’ (mod n) 

= 5128520506024348 1 188122109876540661122140906807437327290641 
6063392024247974 1450841 196687 149365272035 10642341 1648279363 
93204288427 1651389234. 


Find the plaintext M. 


3.3 Shor’s Algorithm for Integer Factorization 


As just discussed in the previous two sections, there is no efficient algorithms for 
integer factorization, so RSA and all other integer factorization based cryptographic 
systems are secure and unbreakable in polynomial-time. However, there is a 
quantum polynomial-time algorithm, proposed by Shor in 1994. This algorithm, 
if run on a practical quantum computer, can solve the integer factorization problem, 
break RSA and all other factoring based cryptographic systems in polynomial-time, 
efficiently and completely. 


3.3.1 Quantum Order Finding Algorithm 


The key idea of Shor’s quantum algorithm for factoring n is to find the order of a 
random element x in the multiplicative group Z7. So we first present some basic 
concepts of the order of an element in a multiplicative group. 


Definition 3.4. Let G = Z* be a finite multiplicative group, and x € G a randomly 
chosen integer (element). Then order of x in G, or order of an element x modulo n, 
some times denoted by order(x, ), is the smallest positive integer r such that 


x’ = 1 (mod n). 


Example 3.8. Let 5 € Zj,4. Then order(5, 104) = 4, since 4 is the smallest positive 
integer satisfying 


54 = 1 (mod 104). 
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Theorem 3.3. Let G be a finite group and suppose that x € G has finite order r. If 
xk = 1, then r | k. 


Example 3.9. Let 5 € Z¥),. As 574 = 1 (mod 104), so, 4 | 24. 


Definition 3.5. Let G be a finite group, then the number of elements in G, denoted 
by |G|, is called the order of G. 


Example 3.10. Let G = Z¥,. Then there are 48 elements in G that are relatively 
prime to 104 (two numbers a and b are relatively prime if gcd(a, b) = 1), namely; 


1,3,5, 7,9, 11, 15, 17, 19, 21, 23, 25, 27, 29, 31, 33, 35, 37, 41, 43 
45, 47, 49, 51, 53, 55, 57, 59, 61, 63, 67, 69, 71, 73, 75, 77, 79, 81 
83, 85, 87, 89, 93, 95, 97, 99, 101, 103. 


Thus, |G| = 48. That is, the order of the group G is 48. 


Theorem 3.4 (Lagrange). Let G be a finite group. Then the order of an element 
x € G divides the order of the group G. 


Example 3.11. Let G = Zj),. Then the order of G is 48, whereas the order of the 
element 5 € Gis 4. Clearly 4 | 48. 


Corollary 3.1. [fa finite group G has order r, then x" = | for all x € G. 
Example 3.12. Let G = Zj, and |G| = 48. Then 


1*8 = 1 (mod 104) 


38 = 1 (mod 104) 
548 = 1 (mod 104) 


78 = 1 (mod 104) 
101*8 = 1 (mod 104) 
103*8 = 1 (mod 104). 


Finding the order of an element x in G is, in theory, not a problem: just keep 
multiplying until we get to “1”, the identity element of the multiplicative group G. 
For example, let n = 179359, x = 3 € G, and G = Zf,9359, such that 
gcd(3, 179359) = 1. To find r = order(3, 179359), we just keep multiplying until 
we get to “1”: 


3) mod 179359 = 3 
3? mod 179359 = 9 
a mod 179359 = 27 
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31000 ~mod 179359 = 31981 
31001 =mod 179359 = 95943 
31002 mod 179359 = 108470 
314716 mod 179359 = 99644 
314717 mod 179359 = 119573 
314718 mod 179359 = 1. 


Thus, the order r of 3 in the multiplicative group G = (Z/179359Z)* is 14718, that 
is, ord,79359(3) = 14718. 


Example 3.13. Let 


n = 5515596313, 
e = 1757316971, 
C = 763222127, 
r = order(C, n) = 114905160. 


Then 


M= ci/e mod r (mod n) 
763222127 !/1757316971 mod 114905160 (mod 5515596313) 
1612050119. 


Clearly, this result is correct, since 


16120501191797316971 
= 763222127 
= C (mod 5515596313). 


M° 


It must also be noted, however, that in practice, the above computation for finding 
the order of x € Z* may not work, since for an element x in a large group G 
with n having more than 200 digits, the computation of r may require more than 
10!%° multiplications. Even if these multiplications could be carried out at the rate 
of 1000 billion per second on a supercomputer, it would take approximately 3 - 10%° 
years to arrive at the answer. Thus, the order finding problem is intractable on 
conventional digital computers. The problem is, however, tractable on quantum 
computers, provided that a practical quantum computer is available. 

It is worthwhile pointing out that although the order is hard to find, the 
exponentiation is easy to compute. Suppose we want to compute x* mod n with 
x,e,n € N. Suppose moreover that the binary form of e is as follows: 


e = B,2* + By12* 1 + +--+ B12! + Bo2°, 
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where each f; (i = 0,1, 2,---) is either 0 or 1. Then we have 


x0 Be +B 2F1 ++ B12! + Bo?” 


Furthermore, by the exponentiation law 
i+1 i 
iG YY 


and so the final value of the exponentiation can be obtained by repeated squaring 
and multiplication operations. For example, to compute a!®°, we first write 10019 = 
11001002 := e¢ese4e3e2e1e9, and then compute 


a’ = ((((((a)’-a)’)’) a)’ 


Note that for each e;, if e; = 1, we perform a squaring and a multiplication 
operation (except “eg = 1”, for which we just write down a, as indicated in the 
first bracket), otherwise, we perform only a squaring operation. That is, 


é6 1 a a initialization 

es 1 (a)? +a a squaring and multiplication 
e 0 ((a)? + a)? a’ squaring 

e, 60 (((a)? + a)”)? al? squaring 

2 1 ((((a)? - a)’)?)? +a a> squaring and multiplication 
e 0 ((((@a@)?+a)’yy-a? a squaring 

eo 0 ((((((@)*+a)*)’)? +a)? al squaring 

I 
00 


The following is the algorithm, which runs in O(log e) arithmetic operations and 
O ((log e)(log n)’) bit operations. 
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Algorithm 3.4 (Fast Modular Exponentiation x° mod n). This algorithm will 
compute the modular exponentiation 


c =x° (mod n), 


where x,e,n € N with n > 1. It requires at most 2 loge and 2 loge divisions 
(divisions are only needed for modular operations; they can be removed if 
only c = x* are required to be computed). 


[1] [Precomputation] Let 
€p—1€p—2°** 10 
be the binary representation of e (i.e., e has f bits). For example, for 
562 = 1000110010, we have 6 = 10 and 


1 0 0 0 1 1 0 0 1 
, a OP Te ae ie a oh sf 


e9 eg eT €6 es e4 €3 e2 ial eo 


i=) 


[2] [Initialization] Set c <— 1. 
[3] [Modular exponentiation] Compute c = x° mod n in the following way: 


for i from 6 — 1 down to 0 do 
c < c’ mod n (squaring) 
if e; = 1 then 
c <—c-x mod n (multiplication) 


[4] [Exit] Print c and terminate the algorithm. 


Now we are in a position to present the quantum algorithm for computing the 
order of an element x in the multiplicative group Z*, due to Shor [81]. The main 
idea of Shor’s algorithm is as follows. First of all, we create two quantum registers 
for our quantum computer: Register-1 and Register-2. Of course, we can create just 
one single quantum memory register partitioned into two parts. Secondly, we create 
in Register-1, a superposition of the integers a = 0,1,2,3,... which will be the 
arguments of f(a) = x“ (mod n), and load Register-2 with all zeros. Thirdly, we 
compute in Register-2, f(a) = x“ (mod n) for each input a. (Since the values of a 
are kept in Register-1, this can be done reversibly.) Fourthly, we perform the discrete 
Fourier transform on Register-1. Finally we observe both registers of the machine 
and find the order r that satisfies x" = 1 (mod n). Here is the algorithm. 


Algorithm 3.5 (Quantum Algorithm for Order Finding). Given a random 
integers x and n, the algorithm will Assume the machine has two quantum 
registers: Register-1 and Register-2, which hold integers in binary form. 
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[1] (Initialization) Find a number g, a power of 2, say 2’, with n? < q < 2n’. 

[2] (Preparation for quantum registers) Put in the first t-qubit register, 
Register-1, the uniform superposition of states representing numbers 
a (mod q), and load Register-2 with all zeros. This leaves the machine 
in the state | %): 


1 = 
1) = Te Dla) 10). 


a=0 


(Note that the joint state of both registers are represented by | Register-1) 
and | Register-2)). What this step does is put each qubit in Register-1 into 
the superposition 


1 
‘2 


[3] (Base selection) Choose a random x € [2,n — 2] such that ged(x,n) = 1. 
[4] (Power creation) Fill in the second t-qubit register, Register-2, with 
powers x“ (mod n). This leaves the machine in state | ¥4): 


(|0) +] 1)). 


i 2a 

|W) = — )_|a) |x“ (mod n)). 

ix 
This step can be done reversibly since all the a’s were kept in Register-1. 

[5] (Perform a quantum FFT) Apply FFT on Register-1. The FFT maps each 
state | a) to 


= 
ia Ss exp(2miac/q)|c). 
c=0 


That is, we apply the unitary matrix with the (a,c) entry equal to 
—_ exp(2miac/q). This leaves the machine in the state | ¥): 


Va 
(ere) 
|W) = 7 Y>Y- exp(2ziac/q) | c) |x" (mod n)). 
a=0 c=0 
[6] (Periodicity detection in x“) Observe both |c) in Register-1 and 
|x“ (mod n)) in Register-2 of the machine, measure both arguments of 
this superposition, obtaining the values of | c) in the first argument and 
some | x* (mod n)) as the answer for the second one (0 < k <r). 
[7] (Extract r) Extract the required value of r. Given the pure state | 3), the 


probabilities of different results for this measurement will be given by the 
probability distribution: 
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q-1 


Prob(c, x* (mod n)) exp(2ziac/q) 


II 
I ag 


a=0 
xk (mod _n) 


L(q-k-))/r] 


| | > exp(2zi(br + k)c/q) 
4 = 


, ee 
= |- > exp(2mib{rc}/q) 


q B=0 


where {rc} is rc mod n. As showed in [81], 


at eee ge. 4% d 
re re — , for some 
2 noes 2 27 = 2 
1 
=> Prob(c, x* (mod n)) > —. 
3r2 


then we have 


Since ; Were known, r can be obtained by the continued fraction 
expansion of 
[8] (Exit) Output r and stop the algorithm. 


Theorem 3.5 (Complexity of Quantum Order Finding Algorithm). Algo- 
rithm 3.5 for finding the order r of an element x in the multiplicative group Z;, 
i.e., order(x, n), runs in polynomial-time, O((logn)?**). 


3.3.2. Quantum Integer Factoring Algorithm 


The above order finding algorithm can be further extended to an integer factorization 
algorithm by adding one more step, as follows. 


Algorithm 3.6 (Quantum Integer Factoring). Given a composite number n, 
usually n = pq with p,q prime, and a random element x € Z* with gcd(x, n) = 
1, this algorithm will find the two prime factors p,q of n if n = pq with the 
probability > 1/2. 


[1]-[7] (Pre-computation) The steps of [1] to [7] are just the same as that in 
Algorithm 3.5. 
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[8] (Resolution) If r is odd, go to Step [8] to start a new random element 
x € Z*. If ris even, then try to compute 


gcd(x"/? + 1,n) = {p,q}. 


The probability for this computation to success will be greater than 
1/2 if n has two prime factors. 


Theorem 3.6 (Complexity of Integer Factoring). Algorithm 3.6 for factoring n 
runs in polynomial-time, O((log n)?**). 


On 19 December 2001, IBM made the first experimental demonstration of Shor’s 
quantum factoring algorithm [90], that correctly identified 3 and 5 as the factors 
of 15. Although the answer may appear to be trivial, it may have a good potential 
and practical implication. In the next example, we give a step by step illustration of 
how to factor 15 quantum-mechanically. 


Example 3.14. Let n = 15. This example shows Shor’s quantum algorithm for 
factoring the integer 15. 


[1] Find a number q such that 15? < q = 28 = 256 < 2- 15”. 
[2] Initialize the two quantum registers with zeroes 

|%) = |0)|0). 
[3] Perform a Hadamard transform on Reg], we get 


255 


H: |W) > |W) = yee ){0). 


[4] Choose a random x = 7 € [2, 13] such that gced(7, 15) = 1. 
[5] Perform the modular exponentiations on Reg2, we get 


Ur: |Yi) > |) -1¥ 0 f(@) 


V4 tm 
255 


= —— Y-|a)|7" (mod 15)) 
/256 2 


= lion + |1)|7) + [2)]4) + |3)]13)+ 
|4)|1) + |5)17) + 16)]4) + |7)]13)+ 
[8)|1) + |9)|7) + |10)]4) + |11)|13)+ 
woke 
|252)|1) + |253)|7) + |254)|4) + |255)|13)]. 
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[6] Measure Reg2. Suppose |4) is observed, this means that the states in Reg] are 


collapsed into a superposition over all a such that 7“ = 4 mod 15. That leaves 
Reg! in states 


1 
|W) = aq) + |6) + [10) + [14) +++» + [254)). 


[7] Perform QFT on Reg]. 
QFT(|¥3)) 
= QFT (0) + |6) + |10) + J14) +---+ +4 [254))) 
= a FT(|2) + |6) + |10) + |14) +--+ + |254)) 
a 1 tal 255 255 255 
= ye Be |e y+ eB |c y+ Doe Be |e) + 
. 256 c=0 c=0 
255 
ne dee “356° |c) ) 


255 255 255 255 

1 2m2c 226c 2710c 27254c 

SS ) e 256 + e 256 + e@ 256 f+ e+. 4 e 256 
8256 c=0 c=0 c=0 


1 1 1 1 

= ~|0) — ~|64 128) — ~|192). 

510) — 5164) + 51128) — 51192) 

[8] Measure Reg1. The final measurement gives 0, 64, 128, 192, each with proba- 
bility almost exactly 1/4. Suppose c = 192 is observed from the measurement. 
Then we compute the continued fraction expansion 


c 192 1 ; 3 
— = 7 with convergents | 0,1, — 
hee 4 


Thus, r = 4 = order ,5(7). Therefore, 
ged(x"/? + 1,n) = ged(7* + 1,15) = (5,3). 


This gives the prime factorization of 15 = 3-5. 


3.3. Shor’s Algorithm for Integer Factorization 103 
3.3.3, Quantum Algorithm for Breaking RSA 


The above quantum order finding algorithm (i.e., Algorithm 3.5) and quantum 
factoring algorithm (i.e., Algorithm 3.6) can be further extended to an algorithm 
for breaking RSA. 


Algorithm 3.7 (Quantum Algorithm for Breaking RSA). Let 1 = pq be the 
RSA modulus, C = M? (mod n) the ciphertext, (e, n) the public-key satisfying 
ed = 1(mod (p—1)(q—1)). Then by first execute Algorithm 3.6, this algorithm 
will break RSA efficiently. 


[1]-[8] (Pre-computation) The steps from [1] to [8] are just the same as that 
in Algorithm 3.6. 
[9] (Computing d) Once n is factored and p and g are found, then 
compute 


d = 1/e (mod (p— 1)(q—1)). 


[10] (Code break) As soon as d is found, the RSA plaintext can be 
computed immediately as follows: 


M = C‘ (mod n). 


Theorem 3.7 (Complexity of RSA Breaking). Algorithm 3.7 for breaking RSA 
runs in polynomial-time, O((log n)?**). 


However, if we just wish to recover the RSA plaintext M from C, we could do 
this straightforward by finding the order of C in Z* without explicitly factoring. 


Theorem 3.8. Let C be the RSA ciphertext, and order(C, n) the order of C € Z*. 
Then 


d = 1/e (mod order(C, n)). 


Corollary 3.2. Let C be the RSA ciphertext, and order(C,n) the order of C € Z>. 
Then 


M= ci/e (mod _ order(C,n)) (mod n) 


Thus, to recover the RSA plaintext M from ciphertext C, it suffices to just find 
the order of C in Z*. Here is the algorithm. 


Algorithm 3.8 (Quantum Order Finding Attack for RSA). Given the RSA 
ciphertext C and the modulus 2, this algorithm shall first find the order r of 
C in Z*, such that C’ = 1 (mod n), then recover the plaintext M@ from the 


ciphertext C. Assume the quantum computer has two quantum registers: 
Register-1 and Register-2, which hold integers in binary form. 
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[1] (Initialization) Find a number g, a power of 2, say 2’, with n* < q < 2n’. 

[2] (Preparation for quantum registers) Put in the first t-qubit register, 
Register-1, the uniform superposition of states representing numbers 
a (mod q), and load Register-2 with all zeros. This leaves the machine 
in the state | Y%): 


1 = 
|) = a Dla) 10). 


a=0 


(Note that the joint state of both registers are represented by | Register-1) 
and | Register-2)). What this step does is put each qubit in Register-1 into 
the superposition 


1 
RP 


(Power creation) Fill in the second t-qubit register, Register-2, with 
powers C“ (mod n). This leaves the machine in state | ¥): 


(|0) +] 1)). 


[3 


= 


pee 

|W) = — |a)|C* (mod n)) . 

Aix 
This step can be done reversibly since all the a’s were kept in Register-1. 

[4] (Perform a quantum FFT) Apply FFT on Register-1. The FFT maps each 
state | a) to 


ie 
Va SS exp(2miac/q)|c). 
c=0 


That is, we apply the unitary matrix with the (a,c) entry equal to 


Ti exp(2ziac/q). This leaves the machine in the state | ¥): 


q-1q-l 


|W) = Y= Y¢ exp(2ziac/q) | c) | C* (mod n)) . 


a=0 c=0 


[5 


= 


(Periodicity detection in x“) Observe both |c) in Register-1 and 
|C* (mod n)) in Register-2 of the machine, measure both arguments 
of this superposition, obtaining the values of |c) in the first argument 
and some | x* (mod n)) as the answer for the second one (0 < k <r). 
(Extract r) Extract the required value of r. Given the pure state | ¥%), the 
probabilities of different results for this measurement will be given by the 
probability distribution: 


[6 


= 
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t © 
Prob(c, C* (mod n)) = |- SS exp(2siac/q) 
q © 
c4=ck (mod n) 
(gk) /r] ° 
= |- > exp(2zi(br + k)c/q) 
7 B=0 


1 L(q-k-))/r] 
= |- >» exp(2mib{rc}/q) 


q B=0 


where {rc} is rc mod n. As shown in [81], 
= zy 7. earner des d 
— TC — — <r- —., for some 
Zao i 
1 
=> Prob(c, C* (mod n)) > 32" 
r 


then we have 


Since were known, r can be obtained by the continued fraction 
expansion of ©. 
[7] (Code break) Once the order r, r = order(C, n), is found, then compute: 


M= cl/e mod r (mod n), 


recovering M from C. 


Theorem 3.9 (Complexity of Quantum Order Finding Attack for RSA). Algo- 
rithm 3.8 for finding order(C, n) and recovering M from C runs in polynomial-time, 
O(log n)?**). 


Remark 3.8. The above quantum order finding attack is for finding order(C, n), then 
use this order information to recover M from C without explicitly factoring n. 


Problems for Section 3.3 


1. Show that if in Shor’s factoring algorithm, we have 
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and 


then 


. Show that in case r + 2”, Shor’s factoring algorithm [82] needs to be repeated 
only O(log log r) steps in order to achieve the high probability of success. 
. Let 0 < s < m. Fix an integer x9 with 0 < x) < 2°. Show that 


0 if x £ 0 (mod 2””*), 


y ermicx/2" _ 

i ee mio, = 
oseam gms e2rixco/2” if x = 0 (mod 2”). 
c=cg (mod 25) 


. There are currently many pseudo-simulations of Shor’s quantum factoring 
algorithm; for example, the paper by Schneiderman et al. [80] gives one of 
the simulations in Maple, whereas Browne [13] presents an efficient classical 
simulation of the quantum Fourier transform based on [80]. Construct your 
own Java (C/C++, Mathematica or Maple) program to simulate Shor’s quantum 
factoring algorithm and discrete logarithm algorithm. 

. Shor’s algorithm for solving the integer factorization problem runs in 
polynomial-time. Can you find another quantum polynomial-time factoring 
algorithm, but different from Shor’s algorithm? 

. Shor’s algorithm belongs to BQP. Can you design a quantum factoring algorithm 
that belongs to P? 


3.4 Variations of Quantum Factoring Algorithms 


It would be nice to implement the full version of Shor’s algorithm directly on a 
quantum computer, but this has been shown to be difficult and impossible, as there 
is no practical quantum computer that is capable of running the algorithm. Thus 
various improved and compiled versions of Shor’s algorithm using different technics 
have been proposed and studied. In what follows, we list some of the notable 
algorithms and methods. 


1. A compiled version of Shor’s factoring algorithm with a demonstration of 
factoring 15 using photonic qubits is proposed in [53]. 

2. A compiled version of Shor’s factoring algorithm with a demonstration of 
factoring 15 using quantum entanglement is proposed in [47]. 


3.4 


14. 


15. 


16. 


17. 
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. A factoring method using a Josephson phase quantum bit processor was 


proposed [54]. 


. An experimental demonstration of a factoring method with temporal talbot 


effect for factoring the number 19403 was proposed in [8]. 


. Gauss sum was used in classical factoring method, but Gilowski et al. [33] 


presented a quantum version of the Gauss sum method with cold atoms; a 
demonstration of this method for factoring the number 263193 was also given. 


. An experimental demonstration of an adiabatic quantum factoring algorithm in 


nuclear magnetic resonance with an example of factoring the number 21 was 
given [66]. 


. An experimental demonstration of the factorization of 143 on a dipolar- 


coupling nuclear magnetic resonance system was proposed in [98]. 


. By using the similar method in [98], Dattani and Bryans [23] gave a demonstra- 


tion of the factorization of 156153 on a quantum computer with only 4 qubits. 


. Geller and Zhou [32] constructed simplified quantum circuits for Shor’s 


factoring algorithm and gave an example for factoring the numbers 51 and 85 
with 8 qubits. 


. An experimental realization of Shor’s algorithm for factoring 21 using qubit 


recycling was proposed [56]. 


. A realization of Shor’s algorithm of factoring 15 on a photonic chip was 


proposed in [68]. 


. Since the bottleneck of Shor’s algorithm is the modular exponentiation, 


Martkov and Saeedi [55] presented a fast version via circuit synthesis. 


. An interesting but different factoring method based on waves was proposed in 


[105], where a demonstration on factoring the numbers 157575 and 52882363 
were briefly discussed. 

A fast and highly parallelized version of Shor’s algorithm was proposed in 
[104], with a sizable quantum computer, it is possible to factor numbers with 
millions of digits, as it claimed. 

Rather than finding the order r of the element a in Z* such that a” = 1 (mod 
n), Smolin et al. [87] proposed a quantum computing idea to find the number 
a such that a” = 1 (mod n), since once a is found, one can compute gcd(a + 
1,n) = {p, g} with probability greater than 1/2, ifn = pq. 

Parker and Plenio [65] proposed an efficient quantum factoring method with a 
pure qubit and logn mixed qubits for factoring integer n. 

Reducing qubits in Shor’s algorithm is helpful in constructing practical quan- 
tum computer, Seifert [77] proposed a quantum factoring algorithm using fewer 
qubits via simultaneously Diophantine approximation. 


This list will enlarge as the time goes, and the factored numbers by various new 


and improved quantum factoring algorithms will also become bigger and bigger, 
hopefully, these algorithms will become practical at the end. Now, we give an 
example and demonstration of a variant described in [98]. 


Most of the modern classical factoring algorithms such as the continued fraction 


method (CFRAC), the quadratic sieve (QS) and the number field sieve (NFS) are 
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based on the fact that if one can find the pair of integer solution (x, y) in the square 
congruence x* = y* (mod n), then one can compute gcd(x + y,n) = (p,q) with 
high probability if m = pq. As we know, all the classical algorithms based on 
this approach run in subexponential-time. We would naturally ask: can we speed 
up the process for finding (x, y) exponentially (more precisely, superpolynomially) 
or polynomially? The answer is that it is possible to speed up polynomially, but 
it can be hard exponentially. In what follows, we present a polynomially speedup 
quantum algorithm for finding the solution (x, y) [103]; it actually consists of two 
new algorithms: Algorithm 3.9 for finding x and Algorithm 3.10 for finding y. Here 
are the two algorithms. 


Algorithm 3.9. This algorithm tries to find a pair of positive integers (x, y) 
such that x7 = y’ (mod n) in an attempt to factor n by computing gcd(x + 
y,n) = (p,q), provided that n = pq. By the fundamental law of quantum 
mechanics, although (x, y) can be computed at once, when x is measured, y 
will be destroyed, so this algorithm will only find the required x. 


[1] Find a number g, a power of 2, say, e.g., 2’, such that t = |logn]. 
[2] Initialize the two quantum registers, Regi and Reg2 with zeroes 


|%) = |0)|0). 


[3] Perform a Hadamard transform on Reg1, we get 
H: |%) > |) = 45 |0). 
[4] Perform the modular exponentiations on Reg2, we get 


Uy: |W) > |Wo) = x)1FO)) 


4l+ 
iM 


|x) |x? (mod n)). 


[5] Perform a conditional phase shift on Reg2, with the same state 
receiving a phase shift of —1, that is, the states |x),|y), satisfying 
x* = y* (mod n) receive a phase shift of —1, thus 


—1 


aS 1)%2 mote ?mot4|x)|x? (mod 1). 


a 


|W) > |W) = 2 
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[6] Perform the unitary operation U on Reg2, where U : |x)|b) — |x)|b ® 
x” (modn)), we obtain 


—_ 
Wa) > 1a) = Dye en mtn} 
x=0 


[7] Perform a Hadamard transform on Reg1. 

[8] Perform a conditional phase shift on Regi with every computational 
basis state, except |0)®’ receiving a phase shift of —1. 

[9] Perform a Hadamard transform on Reg1. 

[10] Measure Reg1. Suppose we observe the state |x); in fact, by the funda- 
mental law of quantum mechanics, the states |x) and |y), satisfying the 
congruence x* = y* (mod n), are observed with the same and higher 
probability, but when x is observed, y will be destroyed, in this case, we 
continue to go to run Algorithm 2. 


Remark 3.9. When x in x* = y* (mod n) is measured, the value y will be destroyed 
immediately by the fundamental law of quantum mechanics, so we cannot measure 
y at the same time. Ideally, we can run Algorithm 3.9 again to determine y, but this 
may require exponentially many times to run Algorithm | in order to determine y. 


To speed up the computation, we let a = x’, so that our square congruence 


x? = y* (mod n) becomes to the quadratic congruence y? = a (mod n). In this 


case, we use the following quantum algorithm to solve the Quadratic Congruence 
Problem, that is, to solve y in y* = a (mod n). 


Algorithm 3.10. This algorithm tries to find a solution y to the quadratic 
congruence y? = a (mod n), where a = x is obtained previously from 
Algorithm 3.9. 


[1] Find a number gq, a power of 2, say, e.g., 2‘, such that t = [log 4]. 
[2] Initialize the two quantum registers, Regi and Reg2 with zeroes 


|%) = |0)|0). 


[3] Perform a Hadamard transform on Reg1, we get 
i 

He ay (2) = — > 2 0) 
var 


[4] Perform the modular exponentiations on Reg2, we get 


1 
a Y= ly»? (mod n)). 
y=0 
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[5] Perform a conditional phase shift on Reg2, with the state |a) receiving 
a phase shift of —1, thus 


q-1 


|Y>) > |v) -Aue 1). 2 md»]y}fy? (mod n)). 


[6 


= 


Perform the unitary operation U on Reg2, where U: |y)|b) > ly)}|b® 
y* (mod n)), we obtain 


Ws) > |W) = 7G 1)» modn]y) |0). 


[7] Perform a Hadamard transform on Reg1. 

[8] Perform a conditional phase shift on Reg1 with every computational 
basis state, except |0)®’ receiving a phase shift of —1. 

[9] Perform a Hadamard transform on Reg1. 

[10] Measure Reg1. Suppose we observe the state |y), if y satisfies the 

congruence y? = a (mod n), then y is a solution to the congruence 
y* = a(mod n), otherwise, we need to run the algorithm several times. 
In fact, we observe the y satisfying the congruence y? = a (mod n) 
with a higher probability. 


In what follows, some numerical examples for factoring n = 15 and n = 21 are 
given to simulate and illustrate the execution of the two algorithms. 


Example 3.15. Letn = 15. We first run Algorithm 3.9. 
[1] Find a number q, a power of 2, say, e.g., 2’, such that t = [log 15| = 3. 
[2] Initialize the two quantum registers, Reg! and Reg2 with zeroes 


|%) = |0)|0). 


[3] Perform a Hadamard transform on Reg1, we get 


Ay [oy => |W) - 40h |0). 


[4] Perform the modular exponentiations on Reg?2, we get 


7 


Uy: |i) > Wa) = eFC) 


x=0 
1 


7 
= — J) |x)|x? (mod 15)). 
By 
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[5] Perform a conditional phase shift on Reg2, with the same state receiving a 
phase shift of —1, that is, the states |2),|7), satisfying 27 = 7* (mod 15) 
receive a phase shift of —1, thus 


|W) > |W3) = RB Se 1)°x? moa 15, y ® mod 15 | x) |x? (mod 15)) 


x=0 


= q((0)10) + [1)1) — 2) 14) + 1319) + 141) +15) 110)+ 


|6)16) — |7)|4)). 


[6] Perform the unitary operation U on Reg?2, where U : |x)|b) > |x)|b @ x? (mod 
15)), we obtain 


Is) > 1%) = de 1)*? mods. 2 m5) 0) 
ad 


= Sell0) +11) — 2) + 13) + 14) +15) + 16) — 170). 


[7] Perform a Hadamard transform on Reg1. 


He: |W) — |W) 


1 

= i ( (000) + |001) — |010) + J011) + |100) + |101) + |110) — 111) 
1 

= Sgli(000) + |001) — |010) + ]011) + |100) + |101) + [110) — |111)) 
(10) + |1)) ® (0) + [1)) @ (0) + [1)) + (10) + [1))@ 

1)) ® (JO) — |1))(0) + [1)) ® (10) — |1)) @ (0) + [1))+ 

) & (0) — |1)) @ (0) — |1)) + (10) — |1)) ® (0) + |1))@ 

) + (]0) — |1)) ® (0) + |1)) @ (0) — |1)) + (10) — |1))@ 

) & (0) + |1)) — (JO) — |1)) ® (0) — |1)) @ (0) — |1))] 


ary 
ear” Ve ee eee 


= 5 ((000) + |010) — |101) + |111)). 


[8] Perform a conditional phase shift on Reg! with every computational basis state, 
except |0)®? receiving a phase shift of —1. 


|%) = 5 ((000) —|010) + |101) —|111)). 
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[9] Perform a Hadamard transform on Reg1. 


H: |W) > |W) 


= A (5000) — |010) + 101) — rm) 
at A 
a he 

(0) — |1)) @ ({0) + |1)) + (0) — |1)) @ (0) + |1)) @ (0) — |1))— 

(0) — |1)) ® (JO) — |1)) @ (10) — |1))] 

i 

~ 4/2 
ae 
4/2, 


[(10) + |1)) @ (10) + |1)) @ (10) + |1)) — (10) + [1))@ 


(4/010) + 4/111)) 


(|010) + |111)). 


[10] Measure Reg1. Suppose we observe the state x = |010). In fact, the states |010) 
and |111) are observed with the same and higher probability, but according to 
the fundamental law of quantum mechanics, we can only observe one of them, 
say, e.g., the first. Thus, we obtain x = |010) = 2, then we continue to go to 
run Algorithm 3.10. 


Example 3.16. Now we continue to run Algorithm 3.10 for n = 15. At the end of 
the execution of Algorithm 1, we have observed the state x = |010), that is, we get 
x = 2. Now let a = x’. Algorithm 3.10 tries to find a solution y to the quadratic 
congruence y” = a (mod 15), where a = x” = 4. 


[1] Find a number gq, a power of 2, say, e.g., 2’, such that t = [log al = 3. 
[2] Initialize the two quantum registers, Reg] and Reg2 with zeroes 


|%) = |0)|0). 


[3] Perform a Hadamard transform on Reg1, we get 


7 
H: |) > Ma) = bilo. 
y=0 


[4] Perform the modular exponentiations on Reg?, we get 
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l 7 
Ups iy a> Wa) == DFO) 
f J8 » 


ly) |y* (mod 15)). 


[5] Perform a conditional phase shift on Reg2, with |4) receiving a phase shift of 
—1, thus 


A 
IY) > [vs) = ee 1). mot 15]y) fy? (mod 15)) 
y=0 
1 
= (0910) + 11)|1) ~[2)14) + 13)19) + 148) + 15)110)+ 


|6)|6) — |7)14)). 
[6] Perform the unitary operation U on Reg2, where U : |y)|b) > |y)|b @ y?(mod 
15)), we obtain 


7 


|Y3) > |W) = Ad! (—1)"4.»? moa 15 |y)[0) 


= Se) + |1) — [2) + [3) + 14) + 15) + 16) — |7))10). 


[7] Perform a Hadamard transform on Reg1. 


Hi: |W) > |Ws) 


=H | 000 + |001) — |010) + 011) + |100) + |101) + |110) — 111) 


= H000) + |001) — |010) + J011) + |100) + |101) + |110) — |111)) 


= len + |1)) @ (10) + |1)) @ (10) + [1)) + (0) + |1)) @ (10) + |1)) 
@ (10) — |1))(10) + [1)) @ (10) — |1)) @ (10) + 1) + (10) + 1) 
@ (10) — |1)) @ (10) — |1)) + (10) — 11) ® (10) + [1)) (10) + [1)) 
@ (10) — |1)) + (10) — [1)) @ (10) — 1) 

@ (10) + |1)) — (10) — |1)) ® (10) — |1)) ® (10) — |1))) 


= 5 ((000) + |010) —|101) + |111)). 
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[8] Perform a conditional phase shift on Reg! with every computational basis state, 
except |0)®° receiving a phase shift of —1. 


|e) = 5 ((000) —|010) + |101) —|111)). 


[9] Perform a Hadamard transform on Reg]. 
H : |W) > |W) 


1 
=H (5000) — |010) + |101) — 111) 


1 
= PA + |1)) ® (10) + |1)) @ (10) + [1)) — (10) + [1)) @ (10) — 11) 
@ (10) + |1)) + (10) — |1)) @ (10) + |1)) ® (10) — |1)) — (0) — |1))@ 


(|0) — |1)) ® (0) — |1))] 


1 
= —~(4|010) + 4|111 
Wi ) + 4{111)) 


1 
= Fy l010) 4 |111)). 


[10] Measure Reg]. Suppose we observe the state |010), that is y = |010) = 2 = x, 
in this worse case, the value of y is not suitable for us, thus we need to run 
Algorithm 2 several times to observe another state y = |111) = 7; in fact, the 
state |010) and |111) are observed with the same probability, that is P(|010)) = 
P({111)) = ‘ Of course, we may first observe the state y = |111) = 7, in 
this case we get the desired value for y and do not need to run the algorithm 
again. So, at the end of the execution of Algorithm 2, we get x = |010) = 2, 
y = |111) = 7, satisfying x* = y?(mod 15). 

[11] Since the desired (x, y) is obtained, we can efficiently compute gcd(2+7, 15) = 
(3,5) on a classical computer, leading to the required prime factorization 
15 =3x5. 


Problems for Section 3.4 


1. Smolin et al. [87] discussed the idea of a simplified version of the Shor’s quantum 
factoring algorithm by computing the suitable a such that a” = 1 (mod n), 
rather than computing the order r of a such that a” = 1 (mod n), so as to 
factor n. Give a description of the simplified version of the quantum algorithm, 
as well as the complexity measure of the algorithm. 
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2. Give a computing demonstration of factoring the integer 21 by using the 
compiled version of Shor’s algorithm developed in [53]. 

3. Give a factoring simulation of the number 291311 by using the quantum 
factorization method described in [23]. What is the complexity of this method? 

4. Give an experimental demonstration the compiled version of Shor’s factoring 
algorithm developed in [98] to a large number than 143. 

5. Develop a quantum version of the classical number field sieve factoring 
algorithm. 

6. Develop a quantum version of the classical Pollard’s p integer factoring 
algorithm. 


3.5 Chapter Notes and Further Reading 


The theory of prime numbers is one of the oldest subject in number theory and 
indeed in the whole of mathematics, whereas the Integer Factorization problem is 
one of the oldest number-theoretic problems in the field. The root of the problem 
may be traced back to Euclid’s Elements [27], although it was first clearly stated in 
Gauss’ Disquisitiones [31]. With the advent of modern public-key cryptography, 
it has an important application in the construction of unbreakable public-key 
cryptographic schemes and protocols, such as RSA (see [30, 75]), Rabin [73] and 
zero-knowledge proofs [37]. IFP is currently a very hot and applicable research 
topic, and there are many good references in the field, for a general reading, 
the following references are highly recommended: [1, 3, 4, 12, 14, 18, 20, 22, 25, 
44,51, 72, 74, 102]. 

IFP-based cryptography forms an important class of public-key cryptography. In 
particular, RSA cryptography is the most famous and widely used cryptographic 
schemes in today’s Internet world. More information on IFP-based cryptography 
can be found in [9, 10, 21, 34-36, 40, 41, 43, 45, 58, 60, 61, 89, 96, 101]. 

Shor’s discovery of the quantum factoring algorithm [81, 82, 82-85] in 1994 
generated a great deal of research and interest in the field. Quantum computers 
provided a completely new paradigm for the theory of computation, and it was 
the first time to show that IFP can be solved efficiently in polynomial-time on a 
quantum computer. Now there are many good references on quantum computation, 
particularly on quantum factoring. Readers who wish to know more about quantum 
computers and quantum computation are suggested to consult the following refer- 
ences: [2, 5—7, 17, 24, 26, 39, 47, 52, 59, 64, 86, 90-95, 97, 99, 100, 104]. Feynman 
is perhaps the father of quantum computation whose original idea about quantum 
computers may be found in [28, 29]. 

In addition to quantum computation for factoring, there are also some other non- 
classical computations for factoring such as molecular DNA-based factoring and 
attacking. For example, Chang et al. proposed some fast parallel molecular DNA 
algorithms for factoring large integers [15] and for breaking RSA cryptography [16]. 
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Chapter 4 
Quantum Computing for Discrete Logarithms 


The best way to get a good idea is to get a lot of ideas. 


LINUS PAULING (1901-1994) 
The 1954 Nobel Laureate in Chemistry 


The Discrete Logarithm Problem (DLP) may be the first intractable computational 
number-theoretic problem to be considered for constructing cryptographic schemes 
by Diffie, Hellman and Merle at Stanford in 1976 and also by Ellis, Cocks and 
Williamson at the British GCHQ in 1970-1976. Today, DLP are widely used for 
constructing cryptographic systems and digital signatures, and the security of these 
systems depends heavily on the intractability of DLP. In this chapter, we discuss the 
quantum computing methods for solving the Discrete Logarithm Problem (DLP) 
and its extension Elliptic Curve Discrete Logarithm Problem (ECDLP). 


4.1 Classical Algorithms for Discrete Logarithms 


4.1.1 Basic Concepts 


There are three main types of DLP problems, with respect to the level of the 
difficulty for solving them: 


Groups G 
DLP in Z, DLP in Zz, DLP in E(F,) 
(Easy) (Hard) (Hard) 
© Springer International Publishing Switzerland 2015 121 
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1. DLP in additive group G = Z,, is easy to compute: Let us consider the additive 
(cyclic) group G = Zj9 of order 100: Find 


n = log, 17 (mod 100), 
such that 
3n = 17 (mod 100). 


This type of DLP can be computed in polynomial-time by using Euclid’s 
algorithm for multiplicative inverse as follows: 


2. DLP in multiplicative group G = Z* is hard to compute (note that when 
n = porn = p* is prime or prime power, then G is a field): Let us consider 
the multiplicative (cyclic) group G = Zjp, of order 100. Find 

n = log, 17 (mod 101), 
such that 


3” = 17 (mod 101). 


This type of DLP is generally hard and there is no polynomial-time algorithm to 
solve it. Of course, for this artificially small example, one can find 


log, 17 = 70 (mod 101) 
easily by exhaustive search. 

3. DLP in elliptic curve group is also hard to compute (note that it is also possible 
for G = E(Z,) or G = E(Q)): Consider the elliptic curve over a finite field as 
follows: 

E\F 19, :y° =x° + 7x+ 12 (mod 101), 
where {P(—1, 2), O(31, 86)} € E(Fio1). Find k = log, Q (mod 101) such that 


Q = kP (mod 101). 
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This type of DLP is also generally hard and there is no polynomial-time 
algorithm to solve it. Again, for this artificially small example, one can find 


logp Q = 78 (mod 101) 


easily by exhaustive search. 


In the next sections of this chapter, we consider the classical and quantum 
algorithms for DLP over a multiplicative group Z;, or a finite field F,« with k > 1, 


n? 


the ECDLP over E(F,,) will be discussed in the next chapter. 


4.1.2 Shanks’ Baby-Step Giant-Step Algorithm 


Let G be a finite cyclic group of order n, a a generator of G and b € G. The obvious 
algorithm for computing successive powers of a until b is found takes O(n) group 
operations. For example, to compute x = log, 15 (mod 19), we compute 2* mod 
19 forx = 0,1,2,...,19— 1 until 2* mod 19 = 15 for some x is found, that is: 


x 0 1 2 3 4 5 | 6 7 8 9 10 11 
a‘ 1 2 | 4 | 8 16 13 7 14 | 9 18 17 15 


So log, 15 (mod 19) = 11. It is clear that when n is large, the algorithm is 
inefficient. In this section, we introduce a type of square root algorithm, called 
the baby-step giant-step algorithm, for taking discrete logarithms, which is better 
than the above mentioned obvious algorithm. The algorithm, due to Daniel Shanks 
(1917-1996), works on arbitrary groups [59]. 

Let m = |./n |. The baby-step giant-step algorithm is based on the observation 
that if x = log, b, then we can uniquely write x = i+ jm, where 0 < i,j < m. 
For example, if 11 = log, 15 mod 19, then a = 2, b = 15, m = 5, so we can 
write 11 = i+ 5j for 0 < i,j < m. Clearly here i = 1 andj = 2 so we have 
11 = 1+ 5-2. Similarly, for 14 = log, 6 mod 19 we can write 14 = 4+ 5- 2, for 
17 = log, 10 mod 19 we can write 17 = 2+ 5-3, etc. The following is a description 
of the algorithm: 


Algorithm 4.1 (Shanks’ Baby-Step Giant-Step Algorithm). This algorithm 
computes the discrete logarithm x of y to the base a, modulo n, such that 
y =a (mod n): 


[1] (Initialization) Computes s = |/n |. 
[2] (Computing the baby step) Compute the first sequence (list), denoted by 
S, of pairs (ya",r), r=0,1,2,3,...,5—1: 


S = {(y,0), (va, 1), (va’, 2), (va, 3),..., (va! s — 1) mod n} 


and sort S by ya’, the first element of the pairs in S. 
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[3] (Computing the giant step) Compute the second sequence (list), denoted 
by T, of pairs (a", ts), t= 1,2,3,...,s: 


T = {(a’, 1), (a”’, 2), (a**,3),..., (a, s) mod n} 


and sort T by a’, the first element of the pairs in 7. 

[4] (Searching, comparing and computing) Search both lists S and T for a 
match ya" = a’ with ya’ in S and a‘ in T, then compute x = ts — r. This x 
is the required value of log, y (mod n). 


This algorithm requires a table with O(m) entries (m = |./n |, where n is the 
modulus). Using a sorting algorithm, we can sort both the lists S and T in O(m log m) 
operations. Thus this gives an algorithm for computing discrete logarithms that uses 
O(./n log n) time and space for O(./n) group elements. Note that Shanks’ idea was 
originally for computing the order of a group element g in the group G, but here we 
use his idea to compute discrete logarithms. Note also that although this algorithm 
works on arbitrary groups, if the order of a group is larger than 10*°, it will be 
infeasible. 


Example 4.1. Suppose we wish to compute the discrete logarithm x = log, 6 mod 
19 such that 6 = 2* mod 19. According to Algorithm 4.1, we perform the following 
computations: 


[1] y=6,a=2andn= 19,5 = |/19 | = 4. 
[2] Computing the baby step: 
S = {(y, 0), (va, 1), (va, 2), (va? 3) mod 19} 
= {(6,0), (6-2, 1), (6-27, 2), (6- 23,3) mod 19} 
= {(6, 0), (12, 1), (5, 2), (10, 3)} 
= {(5, 2), (6,0), (10, 3), (12, 1)}. 


[3] Computing the giant step: 


T = {(a’,s), (a®, 2s), (Ca 35s), (ae. 4s) mod 19} 
= {(24, 4), (28, 8), (2!2, 12), (2'%, 16) mod 19} 
= {(16, 4), (9, 8), (11, 12), (5, 16)} 
= {(5, 16), (9, 8), (11, 12), (16, 4)}. 
[4] Matching and computing: The number 5 is the common value of the first 
element in pairs of both lists S and T with r = 2 and st = 16, sox = 


st-—r = 16—2 = 14. That is, log,6 (mod 19) = 14, or equivalently, 
2'4 (mod 19) = 6. 


4.1 
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Example 4.2. Suppose now we wish to find the discrete logarithm x = 
logs, 67 mod 113, such that 67 = 59 mod 113. Again by Algorithm 4.1, we 
have: 


[1] y = 67,a = 59 andn = 113,s = | V113 | = 10. 
[2] Computing the baby step: 


S = {(y, 0), (ya, 1), (va’, 2), (ya? 3),..., (ya’, 9) mod 113} 

= {(67, 0), (67-59, 1), (67 - 59°, 2), (67 - 59°, 3), (67 - 59*, 4), 
(67 - 59°, 5), (67- 59°, 6), (67 - 59’, 7), (67 - 59°, 8), 
(67 -59°,9) mod 113} 

= {(67,0), (111, 1), (108, 2), (44, 3), (110, 4), (49, 5), (66, 6), 
(52,7), (17, 8), (99, 9)} 

= {(17,8), (44, 3), (49, 5), (52, 7), (66, 6), (67, 0), (99, 9), 
(108, 2), (110, 4), (111, 1}. 


[3] Computing the giant-step: 


T = {(a’,s), (a**, ss), (a*®, 3s), ... (a'®, 10s) mod 113} 

= {(59!°, 10), (59719, 2- 10), (59°19, 3 - 10), (59%!°, 4- 10), 
(59°? 5. 10), (50°, 6-10), 59", 7 - 10), 59°", 8 - 10), 
(59?!° 9.10) mod 113} 

= {(72, 10), (99, 20), (9, 30), (83, 40), (100, 50), (81, 60), 
(69, 70), (109, 80), (51, 90), (56, 100)} 

= {(9, 30), (51, 90), (56, 100), (69, 70), (72, 10), (81, 60), (83, 40), 
(99, 20), (100, 50), (109, 80)}. 


[4] Matching and computing: The number 99 is the common value of the first 


element in pairs of both lists S and T with r = 9 and st = 20, sox = 
st—r = 20-9 = 11. That is, logs) 67 (mod 113) = 11, or equivalently, 
59!! (mod 113) = 67. 


Shanks’ baby-step giant-step algorithm is a type of square root method for 


computing discrete logarithms. In 1978 Pollard also gave two other types of square 
root methods, namely the p-method and the A-method for taking discrete logarithms. 
Pollard’s methods are probabilistic but remove the necessity of precomputing 
the lists S and T, as with Shanks’ baby-step giant-step method. Again, Pollard’s 
algorithm requires O(n) group operations and hence is infeasible if the order of the 
group G is larger than 10*°. 
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4.1.3 Silver-Pohlig—Hellman Algorithm 


In 1978, Pohlig and Hellman proposed an important special algorithm, now widely 
known as the Silver—Pohlig—Hellman algorithm for computing discrete logarithms 
over GF(q) with O(/p) operations and a comparable amount of storage, where p is 
the largest prime factor of g — 1. Pohlig and Hellman showed that if 


k 
q—-1=[]p%, 
i=1 


where p; are distinct primes and q; natural numbers, and if 7,...,7,% are any real 
numbers with 0 < 7; < 1, then logarithms over GF(q) can be computed in 


k 
O (> (lozq +p, "(1+ er) 


i=l 
field operations, using 
k 
O (14 (1 +0) 
i=l 


bits of memory, provided that a precomputation requiring 
k 
O (>: pi log pi’ + log : 
i=l 


field operations is performed first. This algorithm is very efficient if g is “smooth”, 
i.e., all the prime factors of g — 1 are small. We shall give a brief description of the 
algorithm as follows: 


Algorithm 4.2 (Silver—-Pohlig—Hellman Algorithm). This algorithm computes 
the discrete logarithm x = log, b mod gq: 


[1] Factor g— 1 into its prime factorization form: 
k 
q-1= ] [et e? pi. 
i=1 


[2] Precompute the table r,, ; for a given field: 
Tp. = ad-)/Pi mod q, O<j < pi. 


This only needs to be done once for any given field. 
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[3] Compute the discrete logarithm of b to the base a modulo g, i.e., compute 
x = log, b mod g: 


[3-1] Use an idea similar to that in the baby-step giant-step algorithm to 
find the individual discrete logarithms x mod p;: To compute x mod p*", 
we consider the representation of this number to the base p;: 


x mod ps! = x9 + mpi t+: ro ey a 


where 0 < x, <p; —1. 
(a) To find x9, we compute bi which equals r,,; for some j, and set 
Xo = j for which 
b@-)/Pi mod a = Mp j- 
This is possible because 


pO-D/Pri = GQ G-DIP = GG-V/P mod d = Vp:39- 


(b) To find x;, compute b; = ba~”. If 


—1)/p? 
be 1)/P; mod Ge 


then set x, = j. This is possible because 


padi -_ q&—0)(9-))/P7 = geitepit)q-)/pi 


= g'49-)/P mod qd = lpj.x1- 


(c) To obtain x., consider the number b, = ba~*°—*'”i and compute 


~1)/p3 
be D/P: mod q. 


The procedure is carried on inductively to find all xo, 21, ...,%o;-1- 


[3-2] Use the Chinese Remainder Theorem to find the unique value of 
x from the congruences x mod p*". 


We now give an example of how the above algorithm works: 


Example 4.3. Suppose we wish to compute the discrete logarithm x = log, 62 mod 
181. Now we have a = 2, b = 62 and g = 181 (2 isa generator of F},,). We follow 
the computation steps described in the above algorithm: 


[1] Factor g — 1 into its prime factorization form: 


180 = 27. 37-5. 
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[2] Use the following formula to precompute the table r,, ; for the given field F7.,: 
1p, = ad-Y/Pi mod q, O<j<pi- 


This only needs to be done once for this field. 
[2-1] Compute 
Fy, j = AAV! mod gq = 2°% mod 181 for 0 <j <p, =2: 
ry, = 2°°° mod 181 = 1, 


ro, = 2”! mod 181 = 180. 


[2-2] Compute 
Ip = @TY/P2 mod q = 2% mod 181 for 0 <j < pr =3: 
73,9 = 2° mod 181 = 1, 
73,1 = 2°! mod 181 = 48, 
13. = 2°? mod 181 = 132. 


[2-3] Compute 
Yp,,i = 2-9/3 mod q = 22% mod 181 for 0 <j <p3=5: 
rs = 2°°° mod 181 = 1, 
rs, = 2°°! mod 181 = 59, 
15,9 = 2°? mod 181 = 42, 
rs3 = 2°°3 mod 181 = 125, 
rs4 = 2°64 mod 181 = 135. 


Construct the r,,; table as follows: 


Jj 
pi | «OO 1 73 3 4 
2/1 | 180 
ail 1) ABs | Se 
5 }1 [| 59 | 42 | 125 | 135 


This table is manageable if all p; are small. 
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[3] Compute the discrete logarithm of 62 to the base 2 modulo 181, that is, compute 
x = log, 62 mod 181. Here a = 2 and b = 62: 


[3-1] Find the individual discrete logarithms x mod p;" using 


aj—1 


x mod pi! = xo + xpi +++ + X15 O<x,<pi—1. 
(a-1) Find the discrete logarithms x mod p{', i.e., x mod 27: 
x mod 181 <=> x mod 2? = xo + 2x1. 
(i) To find x9, we compute 


bI-Y/Pt mod gq = 62!8°/? mod 181 = 1 = Tp j = 12,0 


hence xp = 0. 
(11) To find x;, compute first b} = ba“ = b = 62, then compute 


pt PPi mod q = 62!8/4 mod 181 = 1 = rj = 20 
hence x; = 0. So 
x mod 2? = xy + 2x; => x mod 4 = 0. 
(a-2) Find the discrete logarithms x mod p5?, that is, x mod 37: 
x mod 181 <= x mod 3? = Xo + 2x). 
(i) To find x9, we compute 
b'-/P2 mod q = 62'8/3 mod 181 = 48 = ry) j = 73,1 


hence xp = 1. 
(11) To find x;, compute first b} = ba“ = 62- 2-! = 31, then compute 


p02 mod q = 31°/* mod 181 = 1 = rj = ra 
hence x; = 0. So 
x mod 37 = xy + 2x, => x mod 9 = 1. 
(a-3) Find the discrete logarithms x mod p§’, that is, x mod 5 Ms 


x mod 181 <=> x mod 5! = x. 
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To find x9, we compute 
b'-Y/P3 mod g = 62'%°/> mod 181 = 1 = rj = 750 
hence x9 = 0. So we conclude that 
x mod 5 = x) =} x mod 5 = 0. 


[3-2] Find the xin 


x mod 181, 
such that 

x mod 4 = 0, 

x mod 9 = 1, 

x mod 5 = 0. 


To do this, we just use the Chinese Remainder Theorem to solve the following 
system of congruences: 


x = 0 (mod 4), 
x = 1 (mod 9), 
x = 0 (mod 5). 
The unique value of x for this system of congruences is x = 100. 


(This can be easily done by using, for example, the Maple function 
chrem([0, 1, 0], [4,9, 5]).) So the value of x in the congruence 
x mod 181 is 100. Hence x = log, 62 = 100. 


4.1.4 p Method for DLP 


We have seen that the Pollard p-method [48] can be used to solve the IFP problem. 
We shall see that there is a corresponding algorithm of p for solving the DLP 
problem [49], which has the same expected running time as the Baby-Step and 
Giant-Step, but which requires a negligible amount of storage. Assume we wish 
to find x such that 


a” = B (mod n). 


Note that we assume the order of the element @ in the multiplicative group Z* is r. 
In p for DLP, the group G = Z;* is partitioned into three sets G;, G2 and G3 of 
roughly equal size. Define a sequence of group elements {x;}: X0,x1,%2,%3,-°°* as 
follows: 
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xo = 1, 
B "Xi, if x; € Gi, 
4.1 
Xi+1 = f(x) = Cre if x; € Gy, oD 


QA: Xj, if x; € Gi, 


for i > 0. This sequence in turn defines two sequences of integers {a;} and {b;} 
as follows: 


ay = 0, 
ai, if x; € Gi, 
(4.2) 
G+1 = 9) 2a;, ifx)e Gi, 
aj + 1, if x; € Gi, 
and 
by = 0 
bi +1, ifx; € Gi, 
(4.3) 


bi41 = 5 2b;,, if x; € Go, 
bi, if x; € G3. 


Just the same as p for IFP, we find two group elements x; and x2; such that x; = x9;. 
Hence 


or BPE = 02H Br, 
Therefore 

(aa aaa (4.4) 
By taking logarithm to the base a of both sides in (4.4), we get 


2a; — aj 
x= log, B = —s (mod r), (4.5) 


provided that b; 4 2b; (mod n). The corresponding p algorithm may be described 
as follows. 
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Algorithm 4.3 (o for DLP). This algorithm tries to find x such that 
a* = B (mod n). 


Set x9 = 1,ap = 0, bp = 0 
For i = 1,2,3,--- do 
Using (4.1), (4.2) and (4.3) to compute (x;, a;, b;) and (x9;, a;, b;) 
If x; = x;, do 
Set r <— b; — bo; mod n 
If r = 0 terminate the algorithm with failure 
else compute x = r~! (ap; — a;) (mod n) 
output x 


Example 4.4. Solve x such that 
89° = 618 (mod 809). 
Let G,, Go, G3 be as follows: 


G, = {x € Zgo9 : x = 1 (mod 3)}, 
Go = {x € Z09 :x=0 (mod 3)}, 
G3 = {x € Zgo9 : x = 2 (mod 3)}. 


For i = 1,2,3,--- we calculate (x;, a;, b;) and (x2;, az;, b2;) until x; = x2; as follows: 


i | (i. ai, Bi) | (Kai. ai, bai) 


1 | (681,0,1) | (76,0, 2) 

2 | (76,0,2) | (113,0,4) 

3 | (46,0,3) | (488, 1,5) 

4 | (113,0,4) | (605, 4, 10) 

5 | (349,1,4) | (422, 5, 11) 

6 | (488,1,5) | (683,7, 11) 

7 | (555,2,5) | (451, 8, 12) 

8 | (605,4,10) | (344, 9, 13) 

9 | (451, 5,10) | (112, 11, 13) 
10 | (422,5,11) | (422, 11, 15) 


At i = 10, a match has been found: 


X10 = X20 = 422. 
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Since the order of 89 in Zp, is 101, we have 


— 41-4 
“= Bj Dy,’ 
— 11-5 
~ 1-15 


= 49 (mod 101). 
Clearly, 


89 = 618 (mod 809). 


4.1.5 Index Calculus Algorithm 


In 1979, Adleman [1] proposed a general purpose, subexponential-time algorithm 
for computing discrete logarithms in Z* with n composite, called the index calculus 
method, with the following expected running time: 


0 (exp (cy/iognTogTogn)) 


The index calculus is, in fact, a wide range of methods, including CFRAC, QS and 
NFS for IFP. In what follows, we discuss a variant of Adleman’s index calculus for 
DLP in Z> with p prime. 


Algorithm 4.4 (Index Calculus for DLP). This algorithm tries to find an 
integer k such that 


k = logga@ (mod p) or a= B* (mod p). 


[1] Precomputation 


[1-1] (Choose factor base) Select a factor base I", consisting of the first 
m prime numbers, 


C= {P1,P25-++sPm}s 


with p,, < B, the bound of the factor base. 

[1-2] (Compute £¢ mod p) Randomly choose a set of exponent e < p—2, 
compute 6° mod p, and factor it as a product of prime powers. 

[1-3] (Smoothness) Collect only those relations B° modp that are 
smooth with respect to B. That is, 
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m 


B° mod p = | [pi*.e = 0. (4.6) 


i=1 
When such relations exist, get 


m 


e =) ejlogg pj (mod p — 1). (4.7) 
j=l 


[1-4] (Repeat) Repeat [1-3] to find at least m such e in order to find m 
relations as in (4.7) and solve log, p; for j = 1,2,...,m. 
[2] Compute k = logs w (mod p) 


[2-1] For each e in (4.7), determine the value of log, p; for j = 1,2,...,m 
by solving the m modular linear equations with unknown log, 77. 

[2-2] (Compute wf’ mod p) Randomly choose exponent r < p — 2 and 
compute af" mod p. 

[2-3] (Factor wf” mod p over I”) 


a6" mod p = [ [a rj = 0. (4.8) 
j=l 
If (4.8) is unsuccessful, go back to Step [2-2]. If it is successful, then 
logg a = —r+ ¥y 7 logg Pj. 
j=l 
Example 4.5 (Index Calculus for DLP). Find 
x = log», 4 (mod 3361) 
such that 
4 = 22* (mod 3361). 


[1] Precomputation 


[1-1] (Choose factor base) Select a factor base J", consisting of the first 4 prime 
numbers, 


r = {2,3,5, 7}, 


with p4 < 7, the bound of the factor base. 
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[1-2] (Compute 22° mod 3361) Randomly choose a set of exponent e < 3359, 
compute 22° mod 3361, and factor it as a product of prime powers: 


2248 = 25. 37 (mod 3361), 
22100 = 26.7 (mod 3361), 
22186 = 2°. 5 (mod 3361), 
227986 = 23. 3-5? (mod 3361). 


[1-3] (Smoothness) The above four relations are smooth with respect to B = 7. 
Thus 


48 = 5 logy, 2 + 2 log», 3 (mod 3360), 
100 = 6log,, 2 + log,, 7 (mod 3360), 
186 = 9log,, 2 + logy, 5 (mod 3360), 
2986 = 3 logs, 2 + log,, 3 + 2log,, 5 (mod 3360). 
[2] Compute k = log, a (mod p) 
[2-1] Compute 
logy, 2 = 1100 (mod 3360), 
logy, 3 = 2314 (mod 3360), 
log,, 5 = 366 (mod 3360), 
logs, 7 = 220 (mod 3360). 


[2-2] (Compute 4 - 22” mod p) Randomly choose exponent r = 754 < 3659 
and compute 4 - 22’°4 mod 3361. 
[2-3] (Factor 4- 2274 mod 3361 over I”) 


4-22)4 = 2.3?-5-7 (mod 3361). 
Thus, 
logy, 4 = —754 + log,, 2 + 2 log, 3 + logy, 5 + logy, 7 
= 2200. 
That is, 
22700 = 4 (mod 3361). 


Example 4.6. Find k = log,, 7 (mod 29) such that B* = 11 (mod 29). 


[1] (Factor base) Let the factor base I = {2,3, 5}. 
[2] (Compute and factor 6° mod p) Randomly choose e < p, compute and factor 
B* mod p = 11° mod 29 as follows: 
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(1) 117 = 5 (mod 29) (success), 

(2) 117 = 2-13 (mod 29) (fail), 

(3) 11° = 2-7 (mod 29) (fail), 

(4) 11° = 3? (mod 29) (success), 

(5) 117 = 23-3 (mod 29) (success), 

(6) 11° = 2-7 (mod 29) (success). 
[3] (Solve the systems of congruences for the quantities log, p;) 

(1) log,; 5 = 2 (mod 28), 

(4) log,;, 3 = 3 (mod 28), 

(6) log;, 2 = 9 (mod 28), 

(5) 2-log,,; 2 + log,, 3 = 7 (mod 28), 

log,,; 3 = 17 (mod 28). 


[4] (Compute and factor aB° mod p) Randomly choose e < p, compute and factor 
aB* mod p = 7- 11° mod 29 as follows: 


7-11 = 19 (mod 29) (fail), 
7-11? = 2-3 (mod 29) (success). 


Thus 
log,, 7 = log,,; 2 + log,, 3 — 2 = 24 (mod 28). 
This is true since 
1174 = 7 (mod 29). 


For more than 10 years since its invention, Adleman’s method and its variants 
were the fastest algorithms for computing discrete logarithms. But the situation 
changed when Gordon [25] in 1993 proposed an algorithm for computing discrete 
logarithms in finite field F,,. Gordon’s algorithm is based on the Number Field Sieve 
(NES) for integer factorization, with the heuristic expected running time 


O (exp (clog p)'/? (log log p)*/?)) : 


the same as that used in factoring. The algorithm can be briefly described as follows: 


Algorithm 4.5 (Gordon’s NFS). This algorithm computes the discrete log- 
arithm x such that aX = b (mod p) with input a,b,p, where a and b are 
generators and p is prime: 
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[1] (Precomputation): Find the discrete logarithms of a factor base of small 
rational primes, which must only be done once for a given p. 

[2] (Compute individual logarithms): Find the logarithm for each b < F, by 
finding the logarithms of a number of “medium-sized” primes. 

[3] (Compute the final logarithm): Combine all the individual logarithms (by 
using the Chinese Remainder Theorem) to find the logarithm of b. 


Interested readers are referred to Gordon’s paper [25] for more detailed 
information. 


Example 4.7. We present in the following some DLP records and examples using 
various variants (modifications) of the Number Field Sieve (NFS). 


1. Hamza Jeljeli at al (NUMTTHRY List, 11 Jun 2014) solved the following 
discrete logarithm modulo a 180 digit (596-bit) prime using NFS. Let 
y = g* (mod p), 
where 


p = RSA-180 + 625942 
19114792771898660968922946663 14546498 129862462766673548 
6418850363880726070343679905877620136513516127813425829 
6128109200046702912984568752800330221777752773957404540 
495707852046983, 

g=5, 

y = 13506641086599522334960321627880596993888 14756056670275 
24485143851526510604859533833940287 15057 190944179820728 
2164471551373680419703964191743046496589274256239341020 
8643832021 10372958725762358509643 1 105640735015081875106 
765946292055636855294752 1350085287941 637732853390610975 
05443349998 1 1 150056977236890927563. 


Then discrete logarithm k is 


k = log, y (mod p) 
= 13867056612682358487962586 13263333263 123639438256210392 
2021558334615378333627255995552197035730130291204631078 
2908659450758549108092918331352215751346054755216673005 
939933186397777. 
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2. Thorsten Kleinjung (NUMTTHRY List, 5 Feb 2007) solved the following 
discrete logarithm modulo a 160 digits (530 bits) prime using NFS. Let 

p = (10! | + 119849 
3141592653589793238462643383279502884 1 97169399375 105820 
9749445923078 16406286208 9986280348253421 170679821480865 
1328230664709384460955058223 1725359408 12848 1237299, 

g=2, 

y = [10'%e| 
271828 182845904523536028747 135266249775724709369995 9574 
966967627724076630353547594571382178525 1664274274663919 
32003059921817413596629043572900334295260595630738. 


Then discrete logarithm k is 


k = log, y (mod p) 
= 8298971646503489705 1864680264075784402496 1 4693231264721 
= 9853184518689598402644834266625285046612688 143761738165 
= 39426243075376793 1963671 15610535260824235 13665596. 
3. Dmitry Matyukhin et al. (NUMTTHRY List, 22 Dec 2006) solved the following 
discrete logarithm modulo a 135 digits (448 bits) prime using NFS. Let 
p= [2 | + 63384 
= 570857799147913943 142073298 15945329074737629555045 19051 
1386537591 186591858802294523702070250020343761541967996 
165992836977896 1422486479, 
g=7, 
y=11. 
Then discrete logarithm k is 
k = log, y (mod p) 
= 2638094 154425326843577938327776267044837001 100509616312 


40336610545 143645723034872275030016383962573841 18164938 
89215403 1068496007427 12. 
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4. Antoine Joux et al. (NUMTTHRY List, 18 Jun 2005) solved the following 
discrete logarithm modulo a 130 digits (431 bits) prime using NFS. Let 
p = (10!°r| + 38914 
= 3141592653589793238462643383279502884 197169399375 105820 

9749445923078 16406286208 9986280348253421 170679821480865 
13282306647093883523 

g=2, 

y = 271828182845904523536028747 1352662497757247093699959574 
966967627724076630353547594571382178525 1664274274663919 
32003059921817413596. 


Then discrete logarithm k is 


k = log, y (mod p) 
2113848822378679565759046301222860744437727641443507757 
7308395472009525854952021287542101183764223613733010791 
9426669776684829109. 


4.1.6 Discrete Logarithm in Small Characteristic 
Fields Using FFS 


Let Fx be a finite field, with p* a prime power and k > 1, and Q the cardinality of 
the field. Let also 


Lo(c, a) = Le(O(exp(c(log Q)“ (log log Q)'~“))). 


Then for medium and large p, the fastest algorithm for DLP over F,,« is still the 
Number Field Sieve with the complexity 


128\'" 4 
FOV. J). rgd 


and 
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However, for small p, the Function Field Sieve (FFS) (see [4]) for Discrete 
Logarithm Problem (DLP) over small characteristic fields runs in time proportion to 


ay 4 
L ae aa 
: G 3 
little bit faster than NFS. 


Based on works in [31, 33], Gologlu et al. [24] proposed in 2013 an improved 
version of FFS with complexity 
4\'3 4 
L = Aaenad fer 
: (3) 3 


for DLP over small characteristic fields; they also presented two computation 
examples of DLP problems over F2197; and F 43164 using their algorithm. Joux [32] 
also proposed in 2013 an index calculus algorithm with complexity 


Lo («. ; + o(t)) 


for a small characteristic finite field of size Q = p*. More recently, Barbulescu et 
al. proposed an even faster algorithm for discrete logarithm in finite fields of small 
characteristic, called quasi-polynomial algorithm with complexity O(n'°2”), where 
nis the bit-size of the input. 


Example 4.8. We give some computational examples of some recent progress in 
discrete logarithm of small characteristic fields using various variants (modifica- 
tions) of the Function Field Sieve (FFS), and also NFS. 


1. The following discrete logarithm 


12577963 165 105635828352323 1532041428 134055309778 159 18880154198919721124146930407233594105928 
196200545405 167260702976 1522191438597799624559498662885074482976278 137978653961 1876027859635 
21103901 15352604453460353542293 15737970748 10398000395495638366455630035992529559929902 108679 
7158954535349662505785 1714199506077426599 15247928455 1830406501 129185767604943 174058395008676 
98950480424 12499238 1486947 1350406915853 180363227842832865057437232229 16012003228 122646787787 
608 12744846463014185368022969784377362738090039234572 1807674 1086698 1269956062794778 194643992 
12708824867777648955338284933948899929899623865017456977463629503923943 1 13103473591974384794 
219264175350281501136918454807256425587825289840674579 12635 1616780269 1986577569907675 1288844 
96679 16324793027564734396289 13862368 1328723 16967065 14618918217999365307761347 126655737419414 
138939 184000922601084860644048494395 1036702975567228 1052702454897269358687249058588987873030 
206037998025242932693253489775085 137645354085338 16752555623074363282273238382125649384955044 
57572672007040234538095688669323 195326252650693733552443986277025096145247868633522829296001 
33618627260962596937676406978422629530723830723742640962354006238224015786085592229860420288 
075424649365968533818633933400666435527002 1089 169021319757544688750809 18181498 16922182720710 
85945801198188215225 18905318907 1240027777779380846406 12634988 1480760793 1620053047743 13385188 
2485672097644274780107358940677095370687282783 127900363907507840 1078283635730539702 158853291 
12020386618 1078766049702972300003084552404 18 1602895658597267 8604678849 17556955018789202444 14 
40063307 155903389049268 143763947368963 141 1777094096682 19060530210360059490951914011317445172 
0190827 106708 12085264876243869799462402025806494 1 105190185 18730219749634954707365809 19286102 
7105363587308680221794059 1502232862 169337 148524943727 12765 109739434 1372490996098855428920483 
4158776406285 14117107029620945039598088894042809888 1 858968507894858644623403448200740038 1679 
1560798398920964 170638732149972484698800065754685048240568908000395724272228 18821446648 19226 
958009658934028 1258165417 10867996612898 1321541721321473472590961 1737408308012419421252106594 
39961063363459 16088085964730237 14346 1966258884823 17277763406488409357268 1 5387332949033 100658 


4.1 
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0785678288079 18548 1076831613191857815421115194794969864570034744985 1601099077480592845 110383 
285 1762638647963524 1779860392 1924123 1993050026175879877321 185 1188419870966987533549792746212 
96687 1 1620468644466 18106160170209322189 167238854 166963380 16337850625213728173158748 135473789 
8289633496 10061212235868983 1678494 18321400146054733615935965725 1274988267 1779 148934982863203 
394192182717739176364396 133245542876 102244045252 123077850568 104616287079 1973 1 127095852418872 
838478816691911943733494839201709849889522644423283 168715339 16286465088943094602878 183734703 
78767297858757572603, 


in the finite field F492: of characteristic 2, was found in January 2014 by Jen 
Zumbragel et al. (NUMTTHRY List, 31 Jan 2014), using FFS and spending 
about 400,000 core hours. 


. A discrete logarithm problem 


77505588309444688883926502525 134195 10665467335942327566 179509478 1621005215134978921361692545 
31868849080347908279 137658 196354900390645498674 1 889005276932357 1492 15908477730546852847 1 1762 
8820376065 149535 1559483913 150688303752942529997080820548879268 13577325480888 102 1486584055763 
857856273970555690769400823297306629346243377064945406995423 174157468474800 16650679479553177 
980809778054802556021 12956415 16346533323616303616128355 10743393721 1879178527 1068 106754394547 
1604607 1 1088939964483 155435722546934 168473033 1794273 18725272 106792159326983424727 19828852892 
088509456849503867 133033 1124273191285434266296458963257 1637782776220760760823673502 138428497 
21903406 1440067208 1544044923892055764 109243610303 159673788588423705558842738734 1 153051723735 
964357222057 11435175019406137919975700734056 170958 172298368056240527587735 168461043 124390372 
28717205677060849469042549 1 196690125977350736584309744372934308 1 1219606905750793076266849922 
930761 14839659496542304412068009364228 1233174133 132299814145 152846675883466792733884 15737139 
23437376509652355872697854 1744523 1580259595895435 18783 1210646 16279296755 145058 16157907548584 
0658 1643 175264075781 190106248059254483, 


in the finite field F32305 = F447); with 3796 bits, was solved in Sept 2014 by 
Cecile Pierrot et al. using under 8600 CPU hours (NUMTHRY List, 15 Sep 
2014). 


. The following discrete logarithm 


465401264553 1337673666669 1974797369 17408020801989599595299657583 
30665929585 101 182532307899 17498 104078593703566578479326592024301 
0310280270908733 1 13443497535707468938 1307659375386 14277595 176682 
050748 15823 15458 109232748306942 14497 130463705 1675435855273618145 
665426426496097 160234 1334000598 135868436603 190762 15425590491 1334 
911959096450664356557454 1978457 1606689340809704 161 11086483769489 
80798 182139669466905 17 12028992082300619780189046859352858 1063945 
4110901899 16767133 143892547833363446762266548669 17 12919356152287 
0499943526675859399 134234255946 15552854732, 


in the finite field F168 = F(2257)24 of characteristic 2, was found in May 2013 by 
Antoine Joux (NUMTTHRY List, 21 May 2013). 


. The following discrete logarithm problem in finite field F 1279 of characteristic 2, 


was solved by Thorsten Kleinjung et al. (NUMTTHRY List, 17 Oct 2014). The 
solved logarithm is: 


32127507603835424427 1788784435322541827019023388947750652050900 
525115180566 1482432 193924349687 140554 19806450499337950042809584 
372691453 133999605576037085342759765883954703008707 139154520404 
77911938859944095242430 18423092634 1514308445 17137778559 19414897 
5494771537228921 13859834687536270307065 1041102748 16485776366785 
65998908 1 1247759947699602938086 14458 121740694009 191847021263785 
7540496. 
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Problems for Section 4.1 


1. Use the exhaustive method to find the following discrete logarithms k over Zio 9, 
if exist: 


(1) k = log; 57 (mod 1009). 
(2) k = log,, 57 (mod 1009). 
(3) k = log, 20 (mod 1009). 


2. Use the baby-step giant-step algorithm to compute the following discrete 
logarithms k: 


(1) k = log; 96 (mod 317). 
(2) k = log37 15 (mod 123). 
(3) k = log; 57105961 (mod 58231351). 


3. Use Silver-Pohliq-Hellman algorithm to solve the discrete logarithms k: 


(1) 3* = 2 (mod 65537). 
(2) 5€ = 57105961 (mod 58231351). 
(3) k = log; 57105961 (mod 58231351). 


4. Use Pollard’s p method to find the discrete logarithms k such that 


(1) 2* = 228 (mod 383). 
(2) 5* = 3 (mod 2017). 


5. Let the factor base = {2,3,5,7}. Use the index calculus method to find the 
discrete logarithm k: 


k = log, 37 (mod 131). 


6. Use the index calculus with factor base T = (2,3,5,7,11) to solve the DLP 
problem 


k = log; 13 (mod 2039). 
7. Let 


P = 3141592653589793238462643383279502884 197169399375 1058209 
= 749445923078 16406286208998628034825342 1 17067982148086513 
= 28230664709384460955058223 1725359408 128481237299, 


v= 2, 


y = 27182818284590452353602874713526624977572470936999595749 
6696762772407663035354759457 1382178525 166427427466391932 
0030599218174135966290435729003342952605 95630738. 
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(1) Use Gordon’s index calculus method (Algorithm 4.5) to compute the k such 
that 


y = x* (mod p). 
(2) Verify that if your k is as follows: 


829897 1646503489705 1864680264075784402496 1469323 1264721985 
31845 186895984026448342666252850466 12688 143761738 165394262 
43075376793 1963671 15610535260824235 13665596. 


4.2 Discrete Logarithm Based Cryptography 


As discussed in the previous section, the Discrete Logarithm Problem (DLP) is 
intractable on classical computers and all the existing algorithms for DLP are 
inefficient. So just the same as IFP for RSA, this unreasonable effectiveness of 
DLP can also be used to construct cryptographic systems. In fact, the world’s first 
public-key system, the DHM (Diffie-Hellman-Merkle) key-exchange scheme, was 
proposed in 1976 [18], its security relies directly on the intractability of the DLP 
problem. In this section we give a brief account of the DHM scheme and some other 
DLP based cryptographic systems. 


4.2.1 The Diffie-Hellman-Merkle Key-Exchange Protocol 


Diffie and Hellman [18] in 1976 proposed for the first time the concept and idea 
of public-key cryptography, and the first public-key system based on the infeasible 
Discrete Logarithm Problem (DLP). Their system is not a public-key cryptographic 
system, but a public-key distribution system based on Merkle’s seminal work in 
1978 [42]. Such a public-key distribution scheme does not send secret messages 
directly, but rather allows the two parties to agree on a common private-key over 
public networks to be used later in exchanging messages through conventional 
secret-key cryptography. Thus, the Diffie-Hellman-Merkle scheme has the nice 
property that a very fast encryption scheme such as DES or AES can be used for 
actual encryption (just using the agreed key), yet it still enjoys one of the main 
advantages of public-key cryptography. The Diffie-Hellman-Merkle key-exchange 
protocol works in the following way (see Figure 4.1): 


[1] A prime g and a generator g are made public (assume all users have agreed upon 
a finite group over a fixed finite field F,), 


[2] Alice chooses a random number a € {1,2,...,q— 1} and sends g* mod q to 
Bob, 
[3] Bob chooses a random number b € {1,2,...,q — 1} and sends g’ mod q to 


Alice, 
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Alice chooses a Bob chooses b 
(9,9) 
* mod 
Alice poe. 3) Baby 
g’ mod q 
(g°)* mod q (9%)? mod q 
\ g** mod q 


Figure 4.1 DHM key-exchange protocol 


[4] Alice and Bob both compute g” mod gq and use this as a private key for future 
communications. 


Clearly, an eavesdropper has g, g, g“ mod q and g’ mod q, so if he can take 
discrete logarithms, he can calculate g” mod g and understand the communications. 
That is, if the eavesdropper can use his knowledge of g, g, ¢’ mod qg and g? mod q 
to recover the integer a, then he can easily break the Diffie-Hellman-Merkle system. 
So, the security of the Diffie-Hellman-Merkle system is based on the following 
assumption: 


ab 


Diffie-Hellman-Merkle assumption: It is computationally infeasible to compute g“” mod 


q from g,q,g% mod q and g’ mod q. That is, 


ard to find 
es 


hi 
{g,q.g° mod q, g” mod g} {g” mod g}. 


The Diffie-Hellman-Merkle assumption is, in turn, depends on the following 
Discrete Logarithm Problem assumption, i.e., 


hard find 
{g,q, 9 mod q} ———> {a}, 


or 


{g.q.g" mod g} ———"> {b}. 
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In theory, there could be a way to use knowledge of g* mod qg and g’ mod q 
to find g*” mod q. But at present, we simply cannot imagine a way to go from 
g“ mod q and g’ mod q to g*? mod q without essentially solving the following 
Discrete Logarithm Problem: 


i find 
{g,q,8° mod g} —> {a}, 
or 
b find 
{g.q,g” mod g} —> {bd}. 


If either a or b can be find efficiently, then DHM can be broken easily, since 


easy to find 


{g.q,b, g* mod gq} ———> {(g“)’ = g” (mod q)}, 


or 


easy to find 
> 


{g.q,a,g” mod g} {(g’)* = g” (mod g)}. 


Example 4.9. The following DHM challenge problem was proposed in [40]. 
[1] Let p be following prime number: 


P = 204706270385532838059744535 166974274803608394340123459 
6957986745915265913726852295 10652847339705797622075505 
06983 104348665 1682279. 


[2] Alice chooses a random number a modulo p, computes 7“ (mod p), and sends 
the result to Bob, keeping a secret. 
[3] Bob receives 


7% = 12740218011997394682426924433432284974938204258693 162 
165455773529032291467909599868 18609788 13046595 1664554 
58144280588076766033781 (mod p). 


[4] Bob chooses a random number residue b modulo p, computes 7” (mod p), and 
sends the result to Alice, keeping b secret. 
[5] Alice receives 


T° = 18016228528745310244478283483679989501596704669534669 
7313025 1217340599537720584759581769106253806921016518 
48662362137934026803049 (mod p). 


[6] Now both Alice and Bob can compute the private key 7” (mod p). 


McCurley offered a prize of $100 in 1989 to the first person or group to find the 
private key constructed from the above communication. 
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Example 4.10. McCurley’s 129-digit discrete logarithm challenge was actually 
solved on 25 January 1998 using the NFS method, by the two German computer 
scientists, Weber at the Institut fiir Techno-und Wirtschaftsmathematik in Kaiser- 
slautern and Denny at the Debis IT Security Services in Bonn [74]. Their solution 
to McCurley’s DLP problem is as follows. 


a = 381272804111900141380783915079296341 9399864355 1018670285 
561375 165045523966929403 9221021725 1405327092887266394263 
70063532797740808 (mod p), 


(7°)* = 6185869085965188327359333 1 6652037904267987643069521 
7134591462221849525998 15614487782075749218290977740 
8338791850457946749734. 


As we have already mentioned earlier the Diffie-Hellman-Merkle scheme is not 
intended to be used for actual secure communications, but for key-exchanges. There 
are, however, several other cryptosystems based on discrete logarithms, that can be 
used for secure message transmissions. 


4.2.2 ElGamal Cryptography 


In 1985, ElGamal [21], a PhD student of Hellman at Stanford then, proposed the 
first DLP-based public-key cryptosystem, since the plaintext M can be recovered by 
taking the following discrete logarithms 


M = logye M (mod q). 


The ElGamal cryptosystem can be described as follows (see also Figure 4.2). 


[1] A prime g and a generator g € Fy are made public. 
[2] Alice chooses at random a private integer 


aé {1,2,...,q— 1}. 


This a is the private decryption key. The public encryption key is {g,q, 9” 
mod q}. 

Suppose now Bob wishes to send a message to Alice. He chooses a random 
number b € {1,2,...,q— 1} and sends Alice the following pair of elements 
of Fy: 


[3 


“4 


(9”, Mg”) 


where M is the message. 

Since Alice knows the private decryption key a, she can recover M from this 
pair by computing g” (mod gq) and dividing this result into the second element. 
That is, 


[4 


a 
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Alice chooses a Bob chooses 6b 


(9,4) public 


Alice g* mod q Bob 


(g”, Mg*”) mod q 


_, 


Figure 4.2 ElGamal cryptography 


M = Mg"/(g’)? mod q 


M = Mg”/(g°)" (mod q). 
[5] Cryptanalysis: Find the private a by solving the DLP problem 
a = log, x (mod q — 1) 
such that 


x = g" (mod q). 


Remark 4.1. Anyone who can solve the discrete logarithm problem in F, breaks 
the cryptosystem by finding the secret decryption key a from the public encryption 
key g“. In theory, there could be a way to use knowledge of g“ and g’ to find g” and 
hence break the cipher without solving the discrete logarithm problem. But as we 
have already seen in the Diffie-Hellman scheme, there is no known way to go from 
g“ and g? to g”? without essentially solving the discrete logarithm problem. So, the 
ElGamal cryptosystem is equivalent to the Diffie-Hellman key-exchange system. 


4.2.3 Massey-Omura Cryptography 


The Massey-Omura cryptosystem is another popular public-key cryptosystem based 
on discrete logarithms over the finite field F,, with g = p’ prime power. It 
was proposed by James Massey and Jim K. Omura in 1982 [39] as a possible 
improvement over Shamir’s original three-pass cryptographic protocol developed 
around 1980, in which the sender and the receiver do not exchange any keys, 
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M°A (mod q—1) M°A°B (mod q-1) 
poeta 


Alice ~> M 


Bob > Alice 


M°4°B44 (mod q—1) 


M°e4es4a4B (mod q—1) 


Bob 
Figure 4.3. The Massey-Omura cryptography 


however, the protocol does require the sender and receiver to have two private keys 


for encrypting and decrypting messages. Thus, the Massey-Omura cryptosystem 
works in the following steps (see Figure 4.3): 


[1] All the users have agreed upon a finite group over a fixed finite field F, with qa 
prime power. 

[2] Each user secretly selects a random integer e between 0 and qg — | such that 
gcd(e, gq — 1) = 1, and computes d = e~! mod (gq — 1) by using the extended 
Euclidean algorithm. At the end of this step, Alice gets (e4,d,4) and Bib gets 
(ep, dp). 

[3] Now suppose that user Alice wishes to send a secure message M to user Bob, 
then they follow the following procedure: 


[3-1] Alice first sends M“ to Bob. 

[3-2] Onreceiving Alice’s message, Bob sends M*“ back to Alice (note that 
at this point, Bob cannot read Alice’s message M). 

[3-3] Alice sends M“°844 — M°8 to Bob. 


[3-4] Bob then computes M“#*? = M, and hence recovers Alice’s original 
message M. 


[4 


— 


Cryptanalysis: Eve shall be hard to find M from the three-pass protocol between 


Alice and Bob unless she can solve the discrete logarithm problem involved 
efficiently. 


The Massey-Omura cryptosystem may also be described in detail as follows. 


Fy 


Alice <> Bob 


| | 


Chooses e, € [0,g — 1] Chooses eg € [0,q — 1] 
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such that gcd(e,z,g— 1) = 1 such that gcd(e,,g — 1) = 1 


Computes d, = e;' (mod g—1) Computes dg = eg! (mod g — 1) 
M°%A (mod q—1) 
ca > 
M‘A£B (mod q—1) 


MfAcB4A (mod q—1) 
OO 


| 


M = M%¢64s48 (mod g — 1) 


Example 4.11. Let 
Pp = 80000000000000001239, 
M = 20210519040125 (Tuesday), 
€4 = 6654873997, 
ep = 7658494001. 
Then 


|- 


da 70094446778448900393 (mod p — 1), 


dg = — 
M“* = 56964332403383118724 (mod p), 
M“* = 37671804887541585024 (mod p), 
Meaeeds = 50551151743565447865 (mod p), 
Meaeedads = 20210519040125 (mod p), 


1 
M 


14252518250422012923 (mod p — 1), 


4.2.4 DLP-Based Digital Signatures 


The ElGamal’s cryptosystem [21] can also be used for digital signatures; the security 
of such a signature scheme depends on the intractability of discrete logarithms over 
a finite field. 
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Algorithm 4.6 (ElGamal Signature Scheme). This algorithm tries to generate 
digital signature S = (a,b) for message m. Suppose that Alice wishes to 
send a signed message to Bob. 


[1] [ElGamal key generation] Alice does the following: 


[1-1] Choose a prime p and two random integers g and x, such that 
both g and x are less than p. 

[1-2] Compute y = g* (mod p). 

[1-3] | Make (y, g,p) public (both g and p can be shared among a group 
of users), but keep x as a secret. 


[2] [ElIGamal signature generation] Alice does the following: 


[2-1] Choose at random an integers k such that ged(k, p — 1) = 1. 
[2-2] Compute 


a = g* (mod p), 
b = k~!(m—xa) (mod (p— 1)). 


Now Alice has generated the signature (a,b). She must keep the 
random integer, k, as secret. 
[3] [ElIGamal signature verification] To verify Alice’s signature, Bob confirms 
that 


y‘a’ = g" (mod p). 


In August 1991, the U.S. government’s National Institute of Standards and 
Technology (NIST) proposed an algorithm for digital signatures. The algorithm is 
known as DSA, for Digital Signature Algorithm. The DSA has become the U.S. 
Federal Information Processing Standard 186 (FIPS 186). It is called the Digital 
Signature Standard (DSS) [12], and is the first digital signature scheme recognized 
by any government. The role of DSA/DSS is expected to be analogous to that 
of the Data Encryption Standard (DES). The DSA/DSS is similar to a signature 
scheme proposed by Schnorr; it is also similar to a signature scheme of ElGamal. 
The DSA is intended for use in electronic mail, electronic funds transfer, electronic 
data interchange, software distribution, data storage, and other applications which 
require data integrity assurance and data authentication. The DSA/DSS consists of 
two main processes: 


1. Signature generation (using the private key), 
2. Signature verification (using the public key). 


A one-way hash function is used in the signature generation process to obtain a 
condensed version of data, called a message digest. The message digest is then 
signed. The digital signature is sent to the intended receiver along with the signed 
data (often called the message). The receiver of the message and the signature 
verifies the signature by using the sender’s public key. The same hash function must 
also be used in the verification process. In what follows, we shall give the formal 
specifications of the DSA/DSS. 
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Algorithm 4.7 (Digital Signature Algorithm, DSA). This is a variation of 
ElGamal signature scheme. It generates a signature S = (r,s) for the 
message m. 


[1] [DSA key generation] To generate the DSA key, the sender performs the 
following: 


[1-1] Find a 512-bit prime p (which will be public). 

[1-2] Find a 160-bit prime g dividing evenly into p — 1 (which will be 
public). 

[1-3] Generate an element g € Z/pZ whose multiplicative order is q, 
i.e., g/ = 1 (mod p). 

[1-4] Find a one-way function H mapping messages into 160-bit 
values. 

[1-5] Choose a secret key x, with0 <x <q. 

[1-6] | Choose a public key y, where y = g* (mod p). 


Clearly, the secret x is the discrete logarithm of y, modulo p, to the 
base g. 

[DSA signature generation] To sign the message m, the sender produces 
his signature as (r,s), by selecting a random integer k € Z/qgZ and 
computing 


[2 


“= 


r = (g‘ (mod p)) (mod q), 
s =k~!(A(m) + xr) (mod q). 


[3 


= 


[DSA signature verification] To verify the signature (r,s) for the message 
m from the sender, the receiver first computes: 


t=s | (mod q), 


and then accepts the signature as valid if the following congruence 
holds: 


r= (g%™y" (mod p)) (mod q). (4.9) 


If the congruence (4.9) does not hold, then the message either may have 
been incorrectly signed, or may have been signed by an impostor. In this 
case, the message is considered to be invalid. 


There are, however, many responses solicited by the (US) Association of 
Computing Machinery (ACM), positive and negative, to the NIST’s DSA. Some 
positive aspects of the DSA include: 


1. The U.S. government has finally recognized the utility and the usefulness of 
public-key cryptography. In fact, the DSA is the only signature algorithm that 
has been publicly proposed by any government. 

2. The DSA is based on reasonable familiar number-theoretic concepts, and it is 
especially useful to the financial services industry. 

3. Signatures in DSA are relatively short (only 320 bits), and the key generation 
process can be performed very efficiently. 
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4. When signing, the computation of r can be done even before the message m is 
available, in a “precomputation” step. 


Whilst some negative aspects of the DSA include: 


1. The DSA does not include key exchanges, and cannot be used for key distribution 
and encryption. 

2. The key size in DSA is too short; it is restricted to a 512-bit modulus or key size, 
which is too short and should be increased to at least 1024 bits. 

3. The DSA is not compatible with existing international standards; for example, 
the international standards organizations such as ISO, CCITT and SWIFT all 
have accepted the RSA as a standard. 


Nevertheless, the DSA is the only one publicly known government digital signature 
standard. 


Problems for Section 4.2 


1. In McCurley’s DLP problem, we have 


7’ = 18016228528745310244478283483679989501596704669534669 
7313025 1217340599537720584759581769106253806921016518 
48662362137934026803049 (mod p), 


P = 204706270385532838059744535 166974274803608394340123459 
6957986745915265913726852295 10652847339705797622075505 
06983 104348665 1682279. 


(1) Find the discrete logarithm b. 

(2) Compute (7%) mod p. 

(3) Verify if your result (7“)? mod p agrees to Weber and Denny’s result, i.e., 
check if (77)? = (7°)* (mod p). 


2. Let the DHM parameters be as follows: 


P = 10000000000000000000000000000000000000000000000000000 
0000000000000000000204706270385532838059744535 1669742 
748036083943401234596957986745915265913726852295 10652 
84733970579762207550506983 104348665 1682889, 


13* = 10851945926748930321536897787511601536291411551215963 
7357974 1375470500284577824376666678872677612280593569, 
523266148 12573203747209862136106492028547633310541581 
30244119857377415713708744163529915144626 (mod p), 
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13” = 52200208400156523080484387248076760362198322255017014 
26725687374586670774992277718809198697784982872783584 
8382945948 956547764873325699997272322775368657 1233058 
3074769780041 7855036551198719274264122371 (mod p). 


(1) Find the discrete logarithm x. 
(2) Find the discrete logarithm y. 
(3) Compute (13*)” (mod p). 
(4) Compute (13”)* (mod p). 


3. In ElGamal cryptosystem, Alice makes (p, g, g“) public with p prime: 


P = 10000000000000000000000000000000000000000000000000000 
0000000000000000000204706270385532838059744535 1669742 
748046083943401234596957986745915265913726852295 10652 
84733970579762207550506983 104348665 1683281, 


g = 137, 


“ = 1521926639766810195928331615142632068367445 1858111063 
4576769050615795569256793550994428565649 1006943855496 
14388735928661 9504221967945 1267622593641 9253780225375 
3725263998435350007177453 109002733 1523676, 


09 
l| 


where a € {1,2,--- ,p} must be kept as a secret. Now Bob can send Alice an 
encrypted message C = (g”, Mg’) to Alice by using her public-key information, 
where 
g” = 595476756014583223023656041337202206960527469404733 
550460497441379143741421836340432306536590708 164674 
6246663690438438200152876992521 173008 10066542493564 
12826389882 14669184221777907261 1842406374051259, 

Mg" = 495878618828 151138304304 184476649075302372644536032 
944798495277367215335577078643 146863306446245 996605 
6008783414765 1129038 1062014910855601264849526683408 
8332326374206552553549698 16428652168 17002959760. 
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(1) Find the discrete logarithm a, and compute (g”)@ 

(2) Find the discrete logarithm b, and compute (g 

(3) Decode the ciphertext C by computer either 


mod p. 


4)> mod p. 


M = Mg“"/(g”)* (mod p), 


or 
M = Mg’ /(g“)’ (mod p). 
4. Let 
p = 14197, 
(ea, da) = (13, 13105), 
(eg, dg) = (17, 6681), 
M = 1511 (OR). 
Find 
M* mod p, 


Ms mod p, 
Me¢244 mod p, 
Meenas mod P, 


and check if M = M%¢s444s (mod p). 
5. Let 


Pp = 20000000000000002559, 
M = 201514042625151811 (To New York), 
€4 = 6654873997, 
eg = 7658494001. 
(1) Find 
dy, = 1/e, (mod p — 1), 
dg = 1/eg (mod p— 1). 
(2) Find 
M*“ mod p, 
M8 mod p, 
M2284 mod PD, 
Mescedads mod p. 


(3) Check if M = M*°24448 (mod p). 
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6. Suppose, in ElGamal cryptosystem, the random number k is chosen to sign two 
different messages. Let 


b, = k-!(m, — xa) (mod (p — 1)), 
by = k-'(m — xa) (mod (p — 1)), 
where 
a = g* (mod p). 
(1) Show that & can be computed from 
(b, — bz)k = (m, — m2) (mod (p — 1)). 
(2) Show that the private key x can be determined from the knowledge of k. 


7. Show that breaking DHM key-exchange scheme or any DLP-based cryptosystem 
is generally equivalent to solving the DLP problem. 


4.3 Quantum Algorithms for Discrete Logarithms 


4.3.1 Basic Ideas of Quantum Computing for DLP 


Recall that in DLP, we wish to find r in 
g’ = x (mod p), 


where g is a generator in the multiplicative group Z,. We assume the order of g in 
Z is known to be k, that is, 


g* = 1 (mod p). 
Notice first that in quantum factoring algorithm, we try to find r in 
g’ = 1 (mod p), 


where r is the order of g in F,_;. In quantum discrete logarithm algorithm, we try 
to find 


g’ = x (mod p), 
where r is discrete logarithm to the base g in F,,_;. That is, 
r = log, x (mod p — 1). 
The definitions of r in the two quantum algorithms are different. However, since 


g’ = x (mod p), 
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we can define a 2-variable function (just the same as f(a) = g“ = 1 (mod p) in 
quantum algorithm): 


f(a,b) = g*x? = | (mod p) 
such that 
a—br=k (mod p-— 1), 


which can be so, because 


= g* (mod p). 


Thus, in quantum discrete logarithm algorithm, we essentially need to solve r in 
r = (a—k)b! (mod p— 1), 


which is, in turn, just an inverse problem. Shor [60] shows that the quantum 
algorithm can solve r in polynomial-time. Of course, if p — 1 is smooth (..e., 
p — 1 must have small prime factors), then DLP in Zy can already be solved in 
polynomial-time by Pohlig-Hellman algorithm [47] (we call this case as an easy 
case of DLP). However for general p, there is still no classical polynomial-time for 
DLP (we call this case as a hard case of DLP). In what follows, we shall first discuss 
the easy case and then the hard case of the quantum DLP attacks. 


4.3.2 Easy Case of Quantum DLP Algorithm 


The easy case of the quantum DLP attack is basically the quantum analog or 
quantum version of the Pohlig-Hellman method for DLP. Recall that to find the 
discrete logarithm r in 


g’ = x (mod p), 


where g is a generator of the multiplicative group Zy and p a prime with p — 1 
smooth, Pohlig-Hellman method can solve the problem efficiently in polynomial- 
time on a classical computer. It looks no advantage to use quantum computers to 
solve this particular easy, smooth case of DLP. However, it is a good exercise to 
show that a quantum computer can solve a problem just the same as a classical 
computer. 
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Algorithm 4.8 (Quantum Algorithm for Easy Case of DLP). Given g,x « N 
and p prime. This algorithm will find the integer r such that g” = x (mod p) if 
r exists. It uses three quantum registers. 


[1] Beginning with the initial state 
| %o) = | 0) | 0) | 0), 


choose numbers a and b modulo p — 1 uniformly, and perform a Fourier 
transform modulo p — 1, denoted by A,_;. So the state of the machine 
after this step is 


p-2 


Babi. 


|i) = | b) | 0) 
a=0 Tres 
p-2 p-2 
SY 1a.b.0). 
~ pH | 0 pa 


[2] Compute gx’ (mod p) reversibly the values of a and b must be kept 
on the tape (just memory, in terms of quantum Turing machine, we call 
tape). This leaves the quantum computer in the state | ¥%): 


p—2 p-2 


|W%) = —— =e » | a, b, gx” (mod p)). 


| Neo 


[3] Use the Fourier transform A,-; to map |a) — |c) with probability 


amplitude 
1 (=) 
exp 
pol pa? 


and | b) > | d) with probability amplitude 


1 (2%) 
exp ‘ 
p-l p-1l 


Thus, the state | a, b) will be changed to the state: 


(ac + bd)) |c, d). 


l p-2 p-2 an 
(p—1P dX  o(e 
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This leaves the machine in the state | ¥4): 


i: 4S 2ni 
|W) = @=0? y exp (= i (ac + ba)) 


a,b,c,d=0 


c, d, gx” (mod p)). 


[4] Observe the state of the quantum computer and extract the required 
information. The probability of observing a state | c, d, g* (mod p)) is 


2 


1 2ni 
oa" yy exp (- = (ac + vd)) 


a—rbSk (mod p-l) 


Prob(c, d, g*) = 


where the sum is over all (a, b) such that 


a—rb = k (mod p-—1). (4.10) 


[5] Substitue 
a = k+rb (mod p—- 1) 
in (4.10), we get 
2 


p-2 


Prob(c, d, g*) = por x exp (= (ke + b(d + ro)) 
b 


Notice that if d + rc € 0 (mod p — 1), then the probability is 0. Thus, the 
probability 4 0 if and only if d + rc = 0 (mod p — 1), that is, 


r = —dc' (mod p—1). 


[6] As our computation has produced a random c and the corresponding 
d =—rc (mod p-—1). Thus if ged(c, p—1) = 1, then we can find r by finding 
the multiplicative inverse of c using Euclid’d algorithm. More importantly, 
the chance that gced(c, p — 1) = 1is 


p(p— 1) “ 1 . 
p-1l logp 
in fact, 
| =y 
aia 


p-1  loglogp’ 


So, we only need a number of experiments that is polynomial in log p to 
obtain r with high probability. 
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4.3.3 General Case of Quantum DLP Algorithm 


We have just showed that quantum computers can solve a computational problem, 
namely the special case of DLP, just the same as classical computer. However, a 
quantum computer may also be able to solve a computational problem efficiently in 
polynomial-time, namely the general case of DLP, that cannot be solve efficiently 
in polynomial-time on a classical computer. Here is the quantum algorithm. 

Recall that the special case DLP is based on the fact that p — | is smooth. In the 
general case, we remove this restriction by choosing a random smooth q such that 
DP <q < 2p; it can be shown that such a g can be found in polynomial-time such 
that no prime power larger than clog g divides g for some constant c independent 
of p. 


Algorithm 4.9 (Quantum Algorithm for General Case of DLP). Let g be 
generator of Z*, x € Z,. This algorithm will find the integer r such that g” 
x (mod p). 


Ill 


p? 


[1] Choose a random smooth number gq such that p < q < 2p. Note that we 
do not require p — 1 to be smooth. 

[2] Just the same as the special case, choose numbers a and b modulo p— 1 
uniformly and perform a Fourier transform modulo p — 1. This leaves the 
quantum computer in the state | %): 


p—2 p-2 


a = dle b (mod p)) . 


a=0 b=0 


[2] Compute g“x~? mod p reversibly. This leaves the quantum computer in 
the state | ¥): 


p-2 p-2 


| W%) = —— => SS | a, b, g*x~” (mod p)). 


| be 0 


[3] Use the Fourier transform A, to map |a) — |c) with the probability 


amplitude 
1 (=*) 
—r exp 
V4 q 
and | b) > | d) with probability amplitude 
1 (=~) 
— exp ; 
V4 q 


Thus, the state | a, b) will be changed to the state: 


p-2 p-2 


sLLe(= (ac + ba)) lend), 


c=0 d=0 
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This leaves the machine in the state | ¥): 


4x~> (mod p)). 


1 p-2 q-1 
|W) = @-Da > rs exp (= (ac + ba) 


a,b=0 c,d=0 


[4] Observe the state of the quantum computer and extract the required 


) is 
almost the same as the special case: 
2 
Prob(c,d, g*) : yi exp (2 +b) (4.11) 
c,d, g°) = |——_ — (ac : 
(p — 1)q ar q 


a—rb=k (mod p-l) 
where the sum is over all (a, b) such that 


a—rb = k (mod p-—1). 


[5] Use the relation 
b k 
= + orp) | — iF 
and substitute in (4.11) to obtain the amplitude: 
i. 2ni br +k 
—————. —I|b k bd — -—1 
pa ||) 
so that the sum of (4.11) becomes: 
i 2 2ni ai) 
1 r+ 
———- —I|b kK bd — —1 
ae Lee (F (wetter acon F*)))). 
[6] It can be shown that certain pair of values of c,d occur with high 


probability and satisfy the bound 


1 
Sy 
~ ie, 


ro+d— — (c(p ~ 1) mod 4) 
p- 


Once such a pair c,d can be found, r can be deduced, as + is the only 
unknown in 


a+ r(c(p — 1) — c(p — 1) mod gq) Z 
p= 
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Notice also that 
q | (c(p — 1) — c(p — 1) mod q). 


Then dividing both sides by g, we get 


To find r, just round d to the closest multiple of p— 1, denoted by ae and 
then compute r from 


That is, 


4.3.4 Variations of Quantum DLP Algorithms 


In this section, we give two variations of Shor’s quantum algorithms for discrete 
logarithms [77]: the first one is for DLP in F,,, the other for DLP in Z*. 


Algorithm 4.10. Given g, x, p with p prime. This algorithm tries to find 
k = log, x (mod p — 1), 
such that 
x = g (mod p). 


[1] Find a number g such that p < q = 2' < 2p. 
[2] Initialize the three quantum registers with zeroes: 


|%) = |0)|0)|0). 


[3] Perform a Hadamard transform on Reg1 and Reg2, we get 


p-2 p—2 


Up: |¥o) > [A) = = 3  |a)|b)|0). 


a=0 b=0 
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[4] Perform the modular exponentiations, we get 


l p-2 p-2 

Up: Wh) > Wa) = > DD lah ey fla.) 
a=0 b=0 
p-2 p-2 


1 
se Y= dS la)lb)|g’x? (mod p)). 


a=0 b=0 


[5] Measure Reg3, suppose we observe m satisfying g’ = m (mod p), 
where 0 < / < p—2, and the states collapse into a superposition. And 
|a)|b) satisfy g¢x° = g' = m (mod p), that is, a+ br = 1 (mod p— 1), 
where, for fixed r, /, p— 1 and any given b, there exists only one k, such 
that a = 1 — br — ky(p — 1). Now Reg1 and Reg2 are in the states |W) 


3) |! — br — kp(p — 1)) |). 


ae 
= Frat d 
[6] Perform QFT on Reg1, 2, we get 
l p-—2 q-1 q-1 


= s 3 3 Fe ree Yaa iii: i) 


b=0 “w=0 v=0 


QFT : |W%) > |W) = 


p—2 q-1 q-l 
1 


& SD we Hho, y) 
qvp—1 


b=0 p=0 v=0 


—2 
1 X v—pr 
ee ee 


v=pr mod (p—1) b=0 


pi oa Le 
= S— ) owt lu ur), 


@. 6 
2ni 
where wz =e7. 


[7] Measure Regi and Reg2, we get (ju, wr). By the previous steps, we 
know k = ~! (ur) (mod (p— 1)). 


Example 4.12. Let g = 4, p = 13, x = 10. We try to find 
k = log, 10 (mod 12), 
such that 


10 = 4* (mod 13). 


4.3, Quantum Algorithms for Discrete Logarithms 163 


[1] Find a number g such that 13 < g = 24 = 16 < 2-13. 
[2] Initialize the three quantum registers with zeroes: 


|W) = |0,0, 0). 
[3] Perform a Hadamard transform on Reg! and Reg2, we get 


p—2 p—2 


H: |%) > |) = 7h Delon 


a=0 b=0 
1 
Dy sla |a)|b)|0). 
ah b=0 
[4] Perform the modular exponentiations, we get 
Uy: |i) > |¥o) = Ly ey) )|b)|47- 10° (mod 13)). 
2m b=0 


The relationship between 4% - 10° (mod 13) and a,b, shown in the following 
table: 


b 

a 0 1 3 4 5 6 7 8 9 10 11 
0 1 10 12 3 4 1 10 9 12 3 4 
1 4 1 9 12 3 4 1 10 9 12 3 
2 3 4 10 9 12 3 4 1 10 9 12 
3 12 3 1 10 9 12 3 4 1 10 9 
4 9 12 4 1 10 9 12 3 4 1 10 
5 10 9 3 4 1 10 9 12 4 1 
6 1 10 12 3 4 1 10 9 12 3 4 
7 4 1 9 12 3 4 1 10 9 12 3 
8 3 4 10 9 12 3 4 1 10 9 12 
9 12 3 1 10 9 12 3 4 1 10 9 
10 9 12 4 1 10 9 12 3 4 1 10 
11 | 10 9 3 4 1 10 9 12 4 1 


[5] Measure Reg3, suppose we observe 4 satisfying 4’ = 4 (mod 13), where 0 < 
1 < 11. Now Reg! and Reg? are in the states 


l 
a + [O)|11) + [1)10) + ]1)]6) + [2)11) + 12)17) + 13)12) + 13)18)+ 


|4)|3) + |4)19) + [5)]4) + |5)[10) + ]6)|5) + 16)|11) + |7)10) + [7)|6)+ 


|8)|1) + [8)17) + [9)[2) + 19)18) + [10)]3) + [10)|9) + |11)]4) + [11)|10)). 
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[6] Perform QFT on Reg! and Reg?2, we get 


em |, ur) 


= “Lip + |1)|5) + [2)|10) + |3)|15) + 14)]4) + 15)|1)+ 


|6)|6) + |7)|11) + |8)|4) + [9)|9) + |10)]2) + [11)]7) + |12)|0)+ 
|13)|5) + |14)|10) + |15)]3). 
where wi6 = els, 


[7] Measure Reg1 and Reg2, we get (13, 5), thus r = 1371.5 (mod 12) = 5. 


Now we change the discrete logarithms in F,, to that in Z*. 
Algorithm 4.11. Given C = (g) = Z*, y € C,n € Z*. This algorithm tries to 
find 
k = log, y (mod n), 
such that 
y = g* (mod n). 


[1] Let NV be the order of group C. 
[2] Initialize the three quantum registers with zeroes: 


|%) = |0°, 0°, 0'), 


where s = [logN| +1, t= [logn] + 1. 
[3] Perform a Hadamard transform on Reg1 and Reg2, we get 


N-1N-1 


Up: |o) > Wi) = yD )15)10). 


=0 b=0 
[4] Perform the modular exponentiations, we get 


N-1N-1 


Ur: |i) > |) = ~ >> allo) ) |b) |f(a, b)) 


i Ses hres 0 


N-1N-1 


= ~ > |a)|b)|3"y° (mod n)). 


Nye 0 
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[5] Measure Reg3, we will observe m satisfying g’ = m (mod n), where 0 < 
1 < N-—1, and the state will collapse into a superposition. And 
|a)|b) satisfy g“y? = g' = m (mod n), that is, a + bx = /| (mod N), 
where, for fixed x, /, N and any given b, there exists only one k, such 
that a = 1— bx —k,N. Now Regi and Reg2 are in the state |¥) 


N-1 


Iva) = SI be kat 


[6] Perform QFT on Reg1, 2, we get 


N-1N-1N-1 


~ 2zi(l ae 2ni(I—bx—kpN) mh ee 
OFT: |W W, is 
Is) > Wa) = NI lav) 


b=0 p=0 v=0 


N-1N-1N-1 


wRLL DL" (v—px)b+lu— PN v) 


nN Sh 00 


ws % yw! (v— wry, v) 
N- 


v=pux mod N b=0 


ae wh [ps [LXx) 


where w=e7. 
[7] Measure Reg1 and Reg2, we get (yu, x). By the previous step, we know 
x = w!(wx) (mod N). 


Each step of above algorithm may be best illustrated by the following example. 
Example 4.13. Let C = (g = 105), y = 144,n = 221. 


[1] Compute the order of C: N = |C| = 16. 
[2] Initialize the three quantum registers with zeroes: 


|Wo) = |0,0, 0). 


[3] Perform a Hadamard transform on Reg! and Reg2, we get 


H: |W) > i) = 158 1) 10). 


Ce b=0 
[4] Perform the modular exponentiations, we get 


15 15 
1 
Uy: |W) > |W) = ago) |b)|105- 144° (mod 221)). 
oie 0 


166 4 Quantum Computing for Discrete Logarithms 


The relationship between 105“ - 144° (mod 221) and a, b, shown in the follow- 
ing table: 


OlSWIALD\| NH] WlL NY) RK |oO;e2 


elie 
i) 


N 


— 
w 


ay 
A 


— 
Nn 


[5] Measure Reg3, we will observe 27 satisfying 27 = 105° (mod 221). Now 
Reg! and Reg? are in the states as follows: 


1 
V16 
[7)|14) + [9)|1) + 19)]9) + [11)|4) + [11)]12) + [13)17)+ 


(|1)]5) + [1)|3) + [3)]0) + [3)18) + 15)]3) + [5)]11) + 17)16)+ 


|13)|15) + ]15)|2) + |15)]10)) 
[6] Perform QFT on Reg! and Reg?2, we get 


15 
1 3 
eS Wi6 [Hs Hx), 
Vv 16 (= 


the following states: 


0) |), |1)]10), |2)]4), |3)]14), 14) 18), [5)|2), 16)|12), |7)16). 18) 10), 
|9)|10), |10)|4), [11)|14), [12)]8), |13)]2), |14)]12), ]15)|6) 
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can be observed. Suppose the states |9)|10) are observe. Then by computing 


10 = 9x (mod 16), 


we getx = 10. 


Problems for Section 4.3 


1. Show that the computational complexity of Algorithm 4.9 for solving DLP over 
Z;, is O(log p)***), where log p is the number of bits of p. 

2. The complexity of Algorithm 4.9 is currently in BOP. Can this algorithm 
be improved to be in OP? This is, can the randomness be removed from 
Algorithm 4.9? 

3. In the general quantum DLP algorithm, the value of g is chosen to be in the 
range p < q < 2p. Can this value of g be reduced to a small number, so that the 
algorithm could be easy to implement on a small quantum computer? 

4. Pollard’s p and A methods for DLP is very well suited for parallel computation, 
and in fact there are some novel parallel versions of the o and A methods for DLP. 
Can the p and/or A methods for DLP be implemented on a quantum computer? 
If so, develop a quantum version of the p or A methods for DLP. 

5. The NFS (Number Field Sieve) is currently the fastest method for solving DLP 
in Z;. Develop, if possible, a quantum version of the NFS for DLP. 

6. The IFP and DLP can be generated to the HSP (Hidden Subgroup Problem). Let 
G be an Abelian group. We say that f : G — S (taking values in some set S) 
hides the subgroup H < Gif 


FQ) =fO) <> x-yeH. 


The Abelian HSP asks that given a device that computes f, find a generating set 
for H. Give a quantum algorithm to solve the more general HSP problem. 


4.4 Chapter Notes and Further Reading 


Logarithms were invented by the Scottish mathematician John Napier (1550-1617). 
Basically, logarithm is the inverse of the mathematical operation exponentiation. We 
say k is the logarithm of y to the base x, denoted by k = log, y, if y = x*, where 
x,y, k € R. The Logarithm Problem (LP) is to find k given x, y. Apparently, it is an 
easy problem, that is, 


easy 


LP: {x,y = x*} —> {k}, 


168 4 Quantum Computing for Discrete Logarithms 


as we can always solve the problem by using the following formulas: 


Iny 
log, y = ince 


and 


_ - = sq le= ly 
Ha Dt itt ———. 


For example, 


InS _ 1.609437912 


= ~ & 2.321928095. 
In2  0.692147106 7 ae 


log, 5 


The situation is, however, completely different from that of Discrete Logarithm 
Problem (DLP), say, e.g., over Zs rather than over R. Just the same as IFP, DLP is 
also an intractable computational number-theoretic problem and can be utilized to 
construct various public-key cryptosystems and protocols. There are many classical 
methods for solving DLP, say, e.g., 


. Baby-step giant-step, 

. Pollard’s p method, 

. Pollard’s A method, 

. Pohlig-Hellman method, 

. Index calculus (e.g., NFS), 
. Xedni calculus, 

. Function Field Sieve (FFS). 


NADU WNKE 


It is interesting to note that for both IFP and DLP, no efficient algorithms are 
known for non-quantum computers, but efficient quantum algorithms are known. 
Moreover, algorithms from one problem are often adapted to the other, making 
IFP and DLP twin sister problems. In this chapter, we have introduced some of 
the most popular attacks on the DLP problem, and some of the most widely used 
DLP-based cryptographic systems and protocols that are unbreakable by all classical 
attacks in polynomial-time. As mentioned, quantum computers can solve the DLP 
problem and break DLP-based cryptographic systems in polynomial-time, so in the 
last section of this chapter, quantum attacks on DLP and DLP-based cryptography 
are discussed and analyzed. 

The Baby-Step and Giant-Step method for DLP was originally proposed by 
Shanks in 1971 [59]. Pohlig-hellman method for DLP was proposed in [47]. The 
p and A methods for DLP were proposed by Pollard in [49]. The currently most 
powerful method, the index calculus, for DLP was discussed in many references 
such as [1, 25, 26, 56]. The Function Field Sieve is based on the algebraic function 
field which is just an analog of the number field. Same as NFS, FFS can be 
used for solving both IFP and DLP. Incidentally, FFS is more suitable for solving 
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the discrete logarithm problem in finite fields of small characteristic. For more 
information on FFS, particularly for the recent progress in DLP in finite fields of 
small characteristic, see [3, 4, 6, 24, 31-33]. 

For general references on DLP and methods for solving DLP, readers are 
suggested to consult: [2, 5, 11, 14-16, 21, 27, 30, 35-37, 40, 41, 45, 46, 50- 
52,94, 37, 65, 73, 75, Fol. 

DLP-based cryptography also forms an important class of cryptography, includ- 
ing cryptographic protocols and digital signatures. In the public literatures, the first 
public-key system, namely, the key-exchange scheme, was proposed by Diffie and 
Hellman in 1976 in [18], based on an idea of Merkle [42] (although published later). 
The first DLP-based cryptographic system and digital signature scheme were pro- 
posed by ElGamal in 1985 [21]. For general references on DLP-based cryptographic 
systems and digital signature schemes, readers are suggested to consult [1, 7— 
10, 12, 13, 17, 19, 20, 22, 23, 28, 29, 34, 38, 41, 43, 44, 47, 53, 55, 58, 66-73, 76]. 

The quantum algorithm for DLP was first proposed in 1994 by Shor [60] 
(see Shor’s other papers [61-64] for more information). 
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Chapter 5 
Quantum Computing for Elliptic Curve Discrete 
Logarithms 


The best way to predict the future is to invent it. 


ALAN KAy 
The 2003 Turing Award Recipient 


In this chapter we shall first discuss the Elliptic Curve Discrete Logarithm Problem 
(ECDLP) and the classical solutions to ECDLP, then we shall present some quantum 
algorithms for solving the ECDLP problem and for attacking the ECDLP-based 


cryptography. 


5.1 Classical Algorithms for Elliptic Curve Discrete 
Logarithms 


5.1.1 Basic Concepts 


The Elliptic Curve Discrete Logarithm Problem (ECDLP): Let E be an elliptic curve 
over the finite field F,,, say, given by a Weierstrass equation 


E: y’ =x? + ax+b (mod p), 


S and T the two points in the elliptic curve group E(F,,). Then the ECDLP is to find 
the integer k (assuming that such an integer k exists) 


k=log,S¢€Z, or k=log,S (mod p) 
such that 


S=kT¢E(F,), or S=kT (mod p). 
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The ECDLP is a more difficult problem than the DLP, on which the Elliptic 
Curve Digital Signature Algorithm (ECDSA) is based on. Clearly, the ECDLP is 
the generalization of DLP, which extends the multiplicative group F, to the elliptic 
curve group E(F,,). 


5.1.2 Pohlig-Hellman Algorithm for ECDLP 


The ECDLP problem is little bit more difficult than the DLP problem, on which 
the Elliptic Curve Digital Signature Algorithm/Elliptic Curve Digital Signature 
Standard (ECDSA/ECDSS) [27] is based. As ECDLP is the generalization of DLP, 
which extends, e.g., the multiplicative group F* to the elliptic curve group E(F,), 
many methods for DLP, even for IFP, can be extended to ECDLP, for example, the 
Baby-Step Giant-Step for DLP, Pollard’s p and A methods for IFP and DLP; Silver- 
Pohlig-Hellman method for DLP, can also be naturally extended to ECDLP. In what 
follows, we present an example of solving ECDLP by an analog of Silver-Pohlig- 
Hellman method for elliptic curves over ee 


Example 5.1. Let 
Q = kP (mod 1009), 
where 


E: y? =x + 71x + 602 (mod 1009) 
P = (1, 237) 

Q = (190, 271) 

order(E(Fio099)) = 1060 = 2? -5- 53 
order(P) = 530 = 2-5-53. 


Find k. The detailed solution may be as follows. 


[1] Find the individual logarithm modulo 2: as (530/2) = 265, we have 


P, = 265P = (50,0) 
Q» = 2650 = (50, 0) 
Qo = P, 

k = 1 (mod 2). 
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[2] Find the individual logarithm modulo 5: as 530/5 = 106, we have 


Ps = 106P = (639, 160) 
Qs = 1060 = (639, 849) 


k = 4 (mod 5). 
[3] Find the individual logarithm modulo 53: as 530/53 = 10, we have 


Ps3 = 10P = (32, 737) 
O53 = 100 = (592, 97) 
Q53 = 48Ps53 

k = 48 (mod 53). 


[4] Use the Chinese Remainder Theorem to combine the individual logarithms to 
get the final logarithm: 


CHREM(({1, 4, 48], [2, 5, 53]) = 419. 
That is, 

(190, 271) = 419(1, 237) (mod 1009), 
or alternatively, 


(190, 271) = (1, 237) +--+ + (1, 237) (mod 1009). 
i ieee 


419 summands 


5.1.3 Baby-Step Giant-Step Algorithm for ECDLP 


The Shanks Baby-Step Giant-Step for DLP can be easily extended for ECDLP. To 
find k in Q = KP, the idea is to compute and store a list of points iP for 1 <i<m 
(Baby-Steps), then compute Q — jmP (Giant-Steps) and try to find a match in the 
stored list. The algorithm may be described as follows. 


Algorithm 5.1 (Baby-Step Giant-Step for ECDLP). Let £ be an elliptic curve 
over Z,, P,Q € E(Z,). This algorithm tries to find k in Q = kP (mod p). 


[1] Set m= |p]. 

[2] For i from 1 to m, compute and store iP. 

[3] For 7 from 1 to m— 1, compute Q — jmP and check this against the list 
stored in Step [2]. 
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[4] If a match is found then Q — jmP = iP and hence Q = (i + jm)P. 
[5] Output k = i+ jm (mod p). 


Example 5.2 (Baby-Step Giant-Step for ECDLP). Let E\Fy,9 : y?=x°+231x + 
508 (mod 719) be an elliptic curve over Fy19, |E(F719)| = 727, P = 
(513, 30), Q = (519, 681) € E(F719). We wish to find k Q = kP (mod 719). 


[1] Set m = |719| = 27 and compute 27P = (714, 469). 
[2] For i from | to m, compute and store iP: 


1P = (513, 30) 
2P = (210, 538) 
3P = (525, 236) 
4P = (507, 58) 
5P = (427, 421) 
6P = (543, 327) 


24P = (487, 606) 
25P = (529, 253) 
26P = (239, 462) 
27P = (714, 469). 


[3] Forj from | to m— 1, compute Q — jmP and check this against the list stored in 
Step [2]. 


QO —(0-27)P = (511,681) 
Q—(1-27)P = (650, 450) 
QO — (2-27)P = (95, 422) 


Q — (19- 27)P = (620, 407) 
Q — (20- 27)P = (143, 655) 
Q — (21-27)P = (239, 462). 
[4] A match is found for 27P = (714, 469) and Q— (21-27)P = (239, 462). Thus, 
Q = (26+ 21- 27)P. 
[5] Output k = 26 + 21-27 = 593 (mod 719). 


5.1.4 p Method for ECDLP 


The fastest algorithm for solving ECDLP is Pollard’s » method. Up to date, the 
largest ECDLP instance solved with p is still the ECC,-109, for an elliptic curve 
over a 109-bit prime field. Recall that the ECDLP problem asks to find k € [1, r—1] 
such that 


Q=KP, 
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where r is a prime number, P is a point of order r on an elliptic curve over a finite 
field F,, Q € Gand G = (P). The main idea of p for ECDLP is to find distinct pairs 
(c’,d’) and (c’, d") of integers modulo r such that 


JP+dQ=c'P+a"Q. 


Then 
(c _ c")P _ (d’ = d’)O, 
that is, 
cd—c! 
Q a d’ —d' 
thus, 
ar) 
k= (mod r). 
d’ —d' 


To implement the idea, we first choose a random iteration function f : G — G, then 
start a random initial point Py and compute the iterations P;;, = f(P;). Since G is 
finite, there will be some indices i < j such that P; = P;. Then 


Pits =f(Pi) = f(P)) = Pi+t, 
and in fact 
Pepe Pitt, for all 1 > 0. 


Therefore, the sequence of points {P;} is periodic with period j — i (see Figure 5.1). 
This is why we call it the o method; we may also called it the A method, as the 
computation paths for c’/P + d’Q and cP + d’Q will eventually be met and traveled 
along on the same road, symbolized by the Greek letter 4. If f is a randomly chosen 
random function, then we expect to find a match (1.e., a collision) with j at most 
a constant times ./r. In fact, by the birthday paradox, the expected number of 
iterations before a collision is obtained is approximately ar/2 ~ 1.2533./r. 
To quickly detect the collision, the Floyd cycle detection trick will be used. That 
is, just the same as p for IFP and DLP, we compute pairs (P;, P2;) for i = 1,2,---, 
until a match is found. Here is the algorithm and an example [19]. 


Algorithm 5.2 (Pollard’s p Algorithm for ECDLP). Given P € E(F,) of prime 
order r, Q € (P), this algorithm tries to find 


k = log, Q (mod p) 
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Pia. 
- i —, Pass 
Jj 


Pi 4 f 7 


P» Pj-3 
Pi 
Po 
Figure 5.1 p for ECDLP 
such that 
Q = kP (mod p), 
via 


cc" 
k= aa (mod r). 


[1] Initialization. Choose the number L of branches, and select a partition 
function H: (P) > {1,2,...,L}. 
[2] Compute a;P + b;Q. 
for i from 1 to L do 


choose a;, b; € [0,r — 1] 
compute R; = a;P + b,Q. 
[3] Compute c’P+d'Q. Choose c’, d’ € [0, r—1], and compute X’ = c’P+d'Q. 
[4] Prepare for loop. 
Set X” < xX’ 
clad 
d’<d. 
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[5] Loop. 


Repeat 
Compute j = H(X’) 
Set X’< X’'+R; 
c’ <—c' +a; modr 
d' <—d' +b; modr. 
for i from to 2 do 
Compute j = H(X’’) 
Set X” << X" +R; 
c” —c" +a; modr 
d" —d" + bj mod r. 
Until X’ = xX”. 


[6] Output and exit. 


If d 4 d’ then computer k = (c’ — c”)(d" — d')“! (mod r). 
otherwise return(failure), stop or startover again. 


Example 5.3. Consider the elliptic curve 
E\Fy9: y? =x +x + 44 (mod 229). 
The point P = (5,116) € E(F229) has prime order r = 239. Let Q = (155, 166) € 


(P) (where (P) denotes the subgroup generated by the point P). We wish to find k 
such that 


Q = kP (mod 229). 
That is, 
k = logp Q (mod 229). 
We perform the following steps: 
[1] Select the partition function H : (P) — {1,2,3, 4} with 4 partitions: 
HA (x,y) = (x mod 4) = 1. 
Let Rj = aP + b,Q with i = 1,2,3, 4. Then 
(a1, 51, Ri) = (79, 163, (135, 117)) 
(az, bz, Ro) = (206, 19, (96, 97)) 


(a3, b3, R3) = (87, 109, (84, 62)) 
(a4, by, R4) = (219, 68, (72, 134)). 
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[2] Compute the iteration table until a mach (collision) is found. 


Iteration | c’ d’ JP+dQ |\c" d’ c’P+d’OQ 
0 54 |175 | (39,159) 54 175 (39,159) 
1 34 | 4 |(160,9) 113 167 (130,182) 
2 113. | 167 | (130,182) | 180 105 (36, 97) 

3 200 37 | (27,17) 0 97 (108,89) 
4 180 (105 | (36,97) 46 40 (223,153) 
5 20 29 | (119,180) | 232 127 (167,57) 
6 0 97 | (108,89) 192 24 (57,105) 
7 79 | 21 |(81,168)  |139 11 (185,227) 
8 46 | 40 | (223,153) |193 0 (197,92) 
9 26 |108 | (9,18) 140 87 (194,145) 
10 232 (127 | (167,57) 67 120 (223,153) 
u 212 |195 | (75,136) | 14 207 (167,57) 
12 192 24 | (57,105) 213 104 (57,105) 


[3] At the step i = 12, we find a match 


192P + 240 = 213P + 1040 = (57,105). 


That is, 


Q= 


Thus, we have 


k = (192 — 213)(104 — 24)! 
176 (mod 239). 


5.1.5 Xedni Calculus for ECDLP 


_ 192-213 
104 — 24 


P (mod 229). 


The index calculus is the most powerful method for DLP in some groups including 
the multiplicative group EF over a finite field, it is however generally not suitable 
for ECDLP as it is not for general groups. In what follows, we introduce a method, 


called xedni calculus for ECDLP. 


The xedni calculus was first proposed by Joseph Silverman in 1998 [56], and 
analyzed in [25, 35, 58]. It is called xedni calculus because it “stands index calculus 
on its head”. The xedni calculus is a new method that might be used to solve the 
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ECDLP, although it has not yet been tested in practice. It can be described as 
follows [56]: 


[1] Choose points in E(F,) and lift them to points in Z?. 
[2] Choose a curve E(Q) containing the lift points; use Mestre’s method [45] (in 
reverse) to make rank E(Q) small. 


Whilst the index calculus works in reverse: 


[1] Lift Z/F,, to E(Q); use Mestre’s method to make rank E(Q) large. 
[2] Choose points in E(F,,) and try to lift them to points in E(Q). 


A brief description of the xedni algorithm is as follows (a complete description and 
justification of the algorithm can be found in [56]). 


Algorithm 5.3 (Xedni Calculus for the ECDLP). Let IF, be a finite field with p 
elements (p prime), E/F, an elliptic curve over F,,, say, given by 


E: y + api xy + Ap 3y = e+ Ap 2X° + ap 4x + apo. 


N, the number of points in E(F,), S and T the two points in E(F,). This 
algorithm tries to find an integer k 


k = log; S 
such that 
S=kT inE(,). 


[1] Fix an integer 4 < r < 9 and an integer M which is a product of small 
primes. 
[2] Choose r points: 


Pui = Kyi Yuireuil, lsisr 
having integer coefficients and satisfying 


[2-1] the first 4 points are [1,0, 0], [0, 1, 0], [0,0, 1] and [1, 1, 1]. 
[2-2] For every prime / | M, the matrix B(Py1,...,P.-) has maximal 
rank modulo /. 


Further choose coefficients uyj,...,uy.19 such that the points 
Pyi,.--,Py., satisfy the congruence: 


3 2 2 3 2 2 
Uy ix + Uy ox y+ Uy 3xy + Uy ay + Uy sx Z + Uy 6xXYZ + Um7y Zz 


tum gx + um so + uM.10Z> = 0 (mod M). 


[3] Choose r random pair of integers (s;, 1;) satisfying 1 < 5;,t; < Np, and for 
each | <i <r, compute the point P,; = (xpi. yp) defined by 


Py =sS—1;T in E(F,). 
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[4] Make a change of variables in P? of the form 


xX’ 411 412 413 xX 
Ul a 

Y |=] a1 a2 a3 Y 
Z' Z 


431 432 433 
so that the first four points become 
Py = [1,0,0], Pp = [0,1,0], Pp3 = [0,0, 1], Pp4 = [1, 1, 1). 
The equation for £ will then have the form: 


3 2. 2 3 2 
UpiX +b Up2X°Y + Up 3X + U, ay” + Up,sX°Z + Up oXYZ 


+Up7y°Z + Up,gXZ- as Up,9YZ aE Up,10Z° = 0. 


[5] Use the Chinese Remainder Theorem to find integers w/,,..., uv) Satisfy- 
ing 
u;, = Up; (mod p) and u;, = uy, (mod M) for all 1 < i < 10. 
[6] Lift the chosen points to P?(Q). That is, choose points 
P,= [xyz], 1Sisr, 
with integer coordinates satisfying 
P; = Py; (mod p) and P; = Py; (mod M) for all 1 <i<r. 
In particular, take P; = [1,0,0], P2 = [0, 1,0], P3 = [0, 0, 1], Ps = [1, 1, 1]. 
[7] Let B = B(P;,...,P,) be the matrix of cubic monomials defined earlier. 
Consider the system of linear equations: 
Bu = 0. (5.1) 
Find a small integer solution u = [u,..., 0] to (5.1) which has the 


additional property 
u = [u\,..., Uo] (mod M,), 


where u,,..., ui) are the coefficients computed in Step [5]. Let Cy denote 
the associated cubic curve: 


Cu: uyx? + Urx-y + U3xy" + uy? + UsXx°Z + UgxyZ 


+uzy’z + ugxz” + ugyz” + uz? = 0. 
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[8] Make a change of coordinates to put C, into standard minimal Weier- 
strass form with the point P; = [1,0, 0] the point at infinity, O. Write the 
resulting equation as 


Ey: ¥ + ayxy+ ay = ae ax” + agx + ag (5.2) 


with aj,...,d6 € Z, and let Q;,Q:,...,Q, denote the images of 
P,,P2,...,P, under this change of coordinates (so in particular, Q; = ©). 
Let c4(u), co6(u), and A(u) be the usual quantities in [56] associated to 
the Eq. (5.2). 

Check if the points Q;, Q2,...,Q, € Ey(Q) are independent. If they are, 
return to Step [2] or [3]. Otherwise compute a relation of dependence 


[9 


= 


n2Q2 + 13Q3 +-+- +n,Q, = O, 
set 
ny = —N2 — 3 —""*— Ny, 


and continue with the next step. 
[10] Compute 


r r 
s= ) ns; and t= ) Njtj. 
i=1 i=1 


If ged(s,n,) > 1, go to Step [2] or [3]. Otherwise compute an inverse 
ss’ = 1 (mod N,). Then 


log, S = s‘t (mod N,), 


and the ECDLP is solved. 


As can be seen, the basic idea in the above algorithm is that we first choose 
points P;, P2,...,P, in E(F,) and lift them to points Q), Q2,..., Q, having integer 
coordinates, then we choose an elliptic curve E(Q) that goes through the points 
Q),Q2,...,Q,, finally, check if the points Q;, Q2,...,Q, are dependent. If they 
are, the ECDLP is almost solved. Thus, the goal of the xedni calculus is to find an 
instance where an elliptic curve has smaller than expected rank. Unfortunately, a 
set of points Q;, Q2,...,Q, as constructed above will usually be independent. So, 
it will not work. To make it work, a congruence method, due to Mestre [45], is 
used in reverse to produce the lifted curve E having smaller than expected rank.! 
Again unfortunately, Mestre’s method is based on some deep ideas and unproved 


'Mestre’s original method is to produce elliptic curves of large rank. 
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Table 5.1 Algorithms for IFP, DLP and ECDLP 
IFP DLP ECDLP 


Trial divisions 
Baby-step giant-step | Baby-step giant-step 


Pohlig-Hellman Pohlig-Hellman 
p p p 
CFRAC/MPQS Index calculus 
NFS NFS 
Xedni calculus Xedni calculus Xedni calculus 


Quantum algorithm | Quantum algorithms | Quantum algorithms 


conjectures in analytic number theory and arithmetic algebraic geometry, it is not 
possible for us at present to give even a rough estimate of the running time of the 
algorithm. So, virtually we know nothing about the complexity of the xedni calculus. 
We also do not know if the xedni calculus will be practically useful; it may be 
completely useless from a practical point of view. Much needs to be done before we 
can have a better understanding of the xedni calculus. 

The index calculus is probabilistic, subexponential-time algorithm applicable 
for IFP and DLP. However, there is no known subexponential-time algorithm for 
ECDLP; the index calculus will not work for ECDLP. The xedni calculus, on the 
other hand, is applicable to ECDLP (it is in fact also applicable to IFP and DLP), 
but unfortunately its complexity is essentially unknown. From a computability 
point of view, xedni calculus is applicable to IFP, DLP and ECDLP, but from a 
complexity point of view, the xedni calculus may turn out to be not useful. As for 
quantum algorithms, we now know that IFP, DLP and ECDLP can all be solved in 
polynomial-time if a quantum computer is available for use. However, the problem 
with quantum algorithms is that a practical quantum computer is out of reach in 
today’s technology. We summarise various algorithms for IFP, DLP and ECDLP in 
Table 5.1. 

Finally, we conclude that we do have algorithms to solve IFP, DLP and ECDLP; 
the only problem is that we do not have an efficient algorithm, nor does any one 
proved that no such an efficient algorithm exists. From a computational complexity 
point of view, a P-type problem is easy to solve, whereas an M’P-type problem 
is easy to verify [18], so IFP, DLP and ECDLP are clearly in ’P. For example, 
it might be difficult (indeed, it is difficult at present) to factor a large integer, but 
it is easy to verify whether or not a given factorization is correct. If P = NP, 
then the two types of the problems are the same, the factorization is difficult only 
because no one has been clever enough to find an easy/efficient algorithm yet (it may 
turn out that the integer factorization problem is indeed \VP-Hard, regardless of the 
cleverness of the human beings). Whether or not P = AP is one of the biggest 
open problems in both mathematics and computer science, and it is listed in the 
first of the seven Millennium Prize Problems by the Clay Mathematics Institute in 
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Boston on 24 May 2000 [12]. The struggle continues and more research needs to be 
done before we can say anything about whether or not P = NP! 


5.1.6 Recent Progress in ECDLP 


In November 1997, Certicom, a computer security company in Waterloo, Canada, 
introduced the Elliptic Curve Cryptosystem (ECC) challenge, consisting of a series 
of elliptic curve discrete logarithm problems (see the official webpage of the 
challenge problems): 


http://www.certicom.com/index.php?action=ecc,ecc_challenge. 


These problems aim at increasing industry understanding and appreciation for 
the difficulty of ECDLP and encouraging and stimulating further research in the 


Table 5.2 Elliptic curves over Fy 


Field size | Estimated number | Prize 

Curve (in bits) of machine days in US dollars | Status 
ECC2K-95 97 8637 $5000 May 1998 
ECC2-97 97 180,448 $5000 Sept 1999 
ECC2K-108 | 108 1.3 x 106 $10,000 April 2000 
ECC2-109 109 2.1 x 107 $10,000 April 2004 
ECC2K-130 | 131 2.7 x 109 $20,000 uf 
ECC2-131 131 6.6 x 1010 $20,000 ? 
ECC2-163 163 2.9x 1015 $30,000 ? 
ECC2K-163 | 163 4.6 x 1014 $30,000 ? 
ECC2-191 191 1.4 x 1020 $40,000 ? 
ECC2-238 239 3.0 x 1027 $50,000 ? 
ECC2K-238 | 239 1.3 x 1026 $50,000 ? 
ECC2-353 359 1.4 x 1045 $100,000 ? 
ECC2K-358 | 359 2.8 x 1044 $100,000 ? 


Table 5.3 Elliptic curves over F, 


Field size | Estimated number | Prize 
(in bits) of machine days in US dollars 


71,982 $5000 


Status 
March 1998 


Curve 
ECCp-97 


ECCp-109 | 109 9x 107 $10,000 Nov 2002 
ECCp-131 | 131 2.3 x 1010 $20,000 2 
ECCp-163 | 163 2.3 x 1015 $30,000 ? 
ECCp-191 | 191 4.8 x 1019 $40,000 ? 
ECCp-239 | 239 1.4 x 1027 $50,000 ? 

9 


ECCp-359 | 359 3.7 x 1045 $100,000 
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security analysis of ECC. The challenge is to compute the ECC private keys from 
the given list of ECC public keys and associated system parameters. It is the type of 
problem facing an adversary who wishes to attack ECC. These problems are defined 
on curves either over Fy» or over F,, with p prime (see Tables 5.2 and 5.3). Also there 
are three levels of difficulty associated to the curves: exercise level (with bits less 
than 109), rather easy level (with bits in 109-131), and very hard level (with bits in 
163-359). Readers who are interested in solving real-world ECDLP problems are 
suggested to try to solve the problems listed in Tables 5.2 and 5.3, particularly those 
with the question mark “*?”, as they are still open to date. 

Note from the two tables that no progress has been made for problems with 
question mark “?” since 2004. There are however some progress for some other 
ECDLP problems. In what follows, we present three recent ECDLP records. 


1. In 2009 Bos and Kaihara et al. [5] solved the following 112-bit prime ECDLP 
problem: For elliptic curve 
E:y=x+ax+b 


over the finite field F,, where 


9128 3 
11-6949 
= 4451685225093714772084598273548427, 


a = 4451685225093714772084598273548424, 
2061118396808653202902996166388514, 
Xp = 1882814650579725348922237787 13752, 

yp = 3419875491033170827167861896082688, 
Xq = 1415926535897932384626433832795028, 
Yo = 3846759606494706724286 139623885544, 


p= 


> 
II 


with P(xp, yp) and Q(xg, yg) the two points on E, they found the required 
logarithm to be 


k = 312521636014772477161767351856699, 
such that 
QO = kP. 


2. Wenger and Wolger [68] solved in 2014 the following 113-bit ECDLP. 
For elliptic curve (Koblitz Curve) 


E:y+x=x+ar4+b 
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in Fy13, where 


a=T; 

b=1, 
Xp = 3295120575173384136238266668942876, 
yp = 4333847502504860461 181278233187993, 
Xg = 7971264128558500679984293536799342, 
Yo = 289586665214862450742063709287836, 


with P(xp, yp) and Q(xg, yg) the two points on E, they found the required 
logarithm to be 


k = 799581514866437129836942536465990, 
such that 
QO = kP. 


3. Wenger and Wolfger (see [69, 70]) announced in Jan 2015 a discrete logarithm 
record in finite field Fj1:3. More specifically, for elliptic curve E over Fyus: 


y tay =x + ax +b, 
where 


a = 984342157317881800509153672175863, 

b = 4720643197658441292834747278018339, 
Xp = 8611161909599329818310188302308875, 
yp = 7062592440118670058899979569784381, 
XQ = 648439271577323857343620065 1832265, 
yo = 746685131280033993798 1984969376306, 


with P(xp, yp) and Q(xg, yg) the two points on E, they found the required 
logarithm to be 


k = 2760361941865110448921065488991383, 
such that 


O=RkP. 


188 5 Quantum Computing for Elliptic Curve Discrete Logarithms 
Problems for Section 5.1 


1. As Shanks’ Baby-Step Giant-Step method works for arbitrary groups, it can be 
extended, of course, to elliptic curve groups. 


(1) Develop an elliptic curve analog of Shanks’ algorithm to solve the ECDLP 
problem. 

(2) Use the analog algorithm to solve the following ECDLP problem, that is, to 
find k such that 


OQ = kP (mod 41), 


where E/F4, : y? =x° + 2x + 1 (mod 41), P = (0, 1) and Q = (30, 40). 
2. Poland’s p and A methods for IFP/DLP can also be extended to ECDLP. 


(1) Develop an elliptic curve analog of Poland p algorithm to solve the ECDLP 
problem. 
(2) Use the p algorithm to solve the following ECDLP problem: find k such that 


Q = kP (mod p), 


where E\Fj993 : y? = x° + x + 1 (mod 1093), P = (0,1) and Q = 
(413, 959). 


3. (Extend the Silver-Pohlig-Hellman method) 


(1) Develop an elliptic curve analog of Silver-Pohlig-Hellman method for 
ECDLP. 

(2) Use this analog method to solve the following ECDLP problem: find k such 
that 


Q = kP (mod p), 


where E\Fs599 : y> = x° + 1 (mod 1093), P = (60,19) and Q = 
(277, 239). 


4. In 1993, Menezes, Okamota and Vanstone developed an algorithm for ECDLP 
over F,» with p” prime power. Give a description and complexity analysis of 
this algorithm. 

5. Let E\F, be the elliptic curve E over F, with p prime, where E is defined by 


y=xrt+axtb. 
(1) Let P,Q € E with P 4 +Q are two points on E. Find the addition formula 


for computing P + Q. 
(2) Let P € E with P ~ —P. Find the addition formula for computing 2P. 


5.1 
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(3) Let E\F.3 be as follows: 


E\Fx3: y =x +x+4+ 4 (mod 23). 


Find all the points, E(F23), including the point at infinity, on the E. 

(4) Let P = (7,20) and Q = (17, 14) be in E\F 3 defined above, find P + Q 
and 2P. 

(5) Let Q = (13,11) and P = (0,2) such that Q = kP (mod 23). Find k = 
logp Q (mod 23), the discrete logarithm over E(Fo3). 


. Let the elliptic curve be as follows: 


E\F 151 1 y? =x° + 2x (mod 151) 


with order 152. A point P = (97,26) with order 19 is given. Let also Q = 
(43, 4) such that 


Q = kP (mod 151). 


Find k = log, Q (mod 151), the discrete logarithm over E(F{51). 


. Let the elliptic curve be as follows: 


E\F43 1 y? = x° + 39x? + x + 41 (mod 43) 
with order 43. Find the ECDLP 
k = logp Q (mod 43), 


where P = (0, 16) and Q = (42, 32). 


. Let the elliptic curve be as follows: 


E\F oo9 1 7 = 2° + 71x + 602 (mod 1009). 
Find the ECDLP 


k’ = log, Q’ (mod 1009) 


O! = (529, 97) = k'(32, 737) = KP’ 


in the subgroup of order 53 generated by P’ = (32, 737). 
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9. In ECCp-109, given 


E\F,: y? =x? +ax +b (mod p), 
{P(x1, y1), OG2,¥2)} € E(Fp), 

DP = 564538252084441556247016902735257, 
a = 3210947681291476018925 14872825668, 
b = 430782315140218274262276694323 197, 
x1 = 97339010987059066523 156133908935, 
y1 = 149670372846 169285760682371978898, 
X_ = 4464676969740586105763086 1884284, 
y2 = 522968098895785888047540374779097, 


show that the following value of k 
k = 281183840311601949668207954530684 
is the correct value satisfying 
O(x2, y2) = k+ P(x1, y1) (mod p). 
10. In ECCp-121, given 


E\E,: y? =x +.ax+b (mod p), 

{P(x1, y1), O2, y2)} € E(Fp), 

DP = 4451685225093714772084598273548427, 
a = 4451685225093714772084598273548424 , 
b = 2061118396808653202902996 166388514, 
xX, = 1882814650579725348922237787 13752, 


yi = 3419875491033170827167861896082688, 
X2 = 1415926535897932384626433832795028, 
y2 = 3846759606494706724286139623885544, 


show that the following value of k 


k = 31252163601477247716176735 1856699 
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is the correct value satisfying 


O(X, y2) = k+ P(x, y1) (mod p). 

11. In ECCp-131, given 
E\F, : y? =x + ax+b (mod p), 
{P(x1,y1), G2, y2)} € E(,), 
D = 1550031797834347859248576414813139942411, 
a = 13992675737635788 1587790523597 1153316710, 
b = 10092965421915324640762603675258 16293976, 
x, = 1317953763239595888465524 1 45589872695690, 
y1 = 43482934861 903127846065630348 1105428081, 
X2 = 1247392211317907151303247721489640699240, 
y2 = 207534858442090452 19399957 1026315995117, 


find the correct value of k such that 


Q(x2, ¥2) = k+ P(x, y1) (mod p). 


5.2 ECDLP-Based Cryptography 


5.2.1 Basic Ideas in ECDLP-Based Cryptography 


Since ECDLP is also computationally infeasible in polynomial-time, it can thus be 
used to construct unbreakable cryptographic systems: 


can be used to construct 


ECDLP > ECDLP-Based Cryptography 


Infeasible Secure 


No Efficient Classical Attacks 
on both ECDLP and ECDLP-Based Cryptography 


The first two people to use ECDLP to construct cryptographic systems, now 
widely known as Elliptic Curve Cryptography were Miller [47] and Koblitz [32] 
in the 1980s. Since then, ECDLP and ECC have been studied extensively, and many 
practical elliptic curve cryptographic systems and protocols have been development. 
Today, Elliptic Curve Cryptography is a standard term in the field. 
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5.2.2 Precomputations of Elliptic Curve Cryptography 


To implement elliptic curve cryptography, we need to do the following 
precomputations: 


[1] Embed Messages on Elliptic Curves: Our aim here is to do cryptography with 
elliptic curve groups in place of F-,. More specifically, we wish to embed plain- 
text messages as points on an elliptic curve defined over a finite field F,, with 
q =p’ andp € Primes. Let our message units m be integers 0 < m < M, let also 
« be a large enough integer for us to be satisfied with an error probability of 2~* 
when we attempt to embed a plain-text message m. In practice, 30 < k < 50. 
Now let us take « = 30 and an elliptic curve E: y* = x° + ax + b over Fy. 
Given a message number m, we compute a set of values for x: 


x = {mk +j, 7 =0,1,2,...} = {30m, 30m 4+ 1, 30m + 2, ---} 


until we find x7 + ax + b is a square modulo p, giving us a point 
(x, Vx? + ax+b) on E. To convert a point (x,y) on E back to a message 
number m, we just compute m = |x/30]. Since x* + ax + b is a square for 
approximately 50% of all x, there is only about a 2“ probability that this 
method will fail to produce a point on E over F,. In what follows, we shall give 
a simple example of how to embed a message number by a point on an elliptic 
curve. Let E be y* = x° + 3x, m = 2174 and p = 4177 (in practice, we select 
p > 30m). Then we calculate x = {30-2174 +), j = 0,1,2,...} until x7 + 3x 
is a square modulo 4177. We find that when j = 15: 


x = 30-2174 415 
= 65235, 
x3 + 3x = (30-2174 + 15)? + 3(30- 2174 + 15) 


277614407048580 


II 


= 1444 mod 4177 


38°, 
So we get the message point for m = 2174: 


(x, Vx3 + ax + b) = (65235, 38). 


To convert the message point (65235, 38) on E back to its original message 
number m, we just compute 


m = |65235/30| = [2174.5] = 2174. 
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[2] Multiply Points on Elliptic Curves over F,: We have discussed the calculation 


“4 


of KP € E over Z/qZ. In elliptic curve public-key cryptography, we are 
now interested in the calculation of KP € E over F,, which can be done in 
O(log k(log q)*) bit operations by the repeated doubling method. If we happen 
to know N, the number of points on our elliptic curve E and if k > N, then the 
coordinates of kKP on E can be computed in O((log q)*) bit operations; recall 
that the number N of points on E satisfies N < q+ 1 + 2./q = O(q) and can 
be computed by René Schoof’s algorithm in O((log q)*) bit operations. 
Compute Elliptic Curve Discrete Logarithms: Let E be an elliptic curve over 
F,, and B a point on E. Then the discrete logarithm on E is the problem, given a 
point P ¢ E, find an integer x € Z such that xB = P if such an integer x exists. 
It is likely that the discrete logarithm problem on elliptic curves over F,, is more 
intractable than the discrete logarithm problem in F,. It is this feature that makes 
cryptographic systems based on elliptic curves even more secure than that based 
on the discrete logarithm problem. In the rest of this section, we shall discuss 
elliptic curve analogues of some important public-key cryptosystems. 


In what follows, we shall present some elliptic curve analogues of four widely 


used public-key cryptosystems, namely the elliptic curve DHM, the elliptic curve 
Massey—Omura, the elliptic curve ElGamal, the elliptic curve RSA and elliptic curve 
digital signature algorithm. 


5.2.3 Elliptic Curve DHM 


The Diffie-Hellman-Merkle key-exchange scheme over a finite field F,, can be easily 
extended to elliptic curve E over a finite field F, (denoted by E\(F,)); such an 
elliptic curve analog may be described as follows (see Figure 5.2). 


[1] Alice and Bob publicly choose a finite field F, with g = p’ and p € Primes, an 


elliptic curve E over F,, and a random base point P € E such that P generates 
a large subgroup of E, preferably of the same size as that of E itself. All of this 
is public information. 

To agree on a secret key, Alice and Bob choose two secret random integers a 
and b. Alice computes aP ¢€ E and sends aP to Bob; Bob computes bP € E and 
sends bP to Alice. Both aP and bP are, of course, public but a and b are not. 
Now both Alice and Bob compute the secret key abP € E, and use it for further 
secure communications. 

Cryptanalysis: For the eavesdropper Eve to get abP, she has to either to find a 
from (abP, P) or b from (bP, P). 


As everybody knows, there is no known fast way to compute abP if one only 


knows P, aP and bP—this is the infeasible Elliptic Curve Discrete Logarithm 
Problem. 
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Alice chooses a Bob chooses b 
(E, Pq) 
Alice BOO E |) “aes 
bP mod q 
a(bP mod q) b(aP mod q) 


Figure 5.2 Elliptic curve DHM key-exchange scheme 


Example 5.4. The following is an elliptic curve analog of the DHM scheme. Let 
E\Fi99: y? =x +x-3, 
P= (1,76) € E(Fi99), 
a= 23, 
b= 86. 
Then 


Alice Bob 


23P mod 199=(2,150) 
—_— 


86P mod 199=(123,187) 
<< 
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86P mod 199 = (123, 187) 


| 


23 - 86P mod 199 = (156, 75) 


| 
\ 


195 


23P mod 199 = (2, 150) 


| 


86 -23P mod 199 = (156,75) 


| 
/ 


k = (156, 75) 
Clearly, anyone who can find the discrete logarithm a or b such that 
(2, 150) = a(1, 76) (mod 199), (123, 187) = b(1, 76) (mod 199) 


can get the key abP = (156,75) (mod 199). 


Example 5.5. We illustrate another example of the elliptic curve analog of the DHM 
scheme. Let 


E\Fj1027: y? = 2° + 4601x 4+ 548, 
P = (9954, 8879) € E(Fj 1027), 


a = 1374, 
b = 2493. 
Then 
Alice Bob 
a = 1374 b = 2493 


1374P mod 11027=(8326,8369) 
a 


2493P mod 11027=(2651,6701) 
<< 


196 5 Quantum Computing for Elliptic Curve Discrete Logarithms 


| | 


2493P mod 11027 = (2651, 6701) 1374P mod 11027 = (8326, 8369) 


| | 


1374(2493P) mod 11027 = (3432, 1094)2493(1374P) mod 11027 = (3432, 1094) 


| | 
\ / 


k = (3432, 1094) 
Anyone who can find the discrete logarithm a or b such that 
(8326, 8369) = a(9954, 8879) (mod 11027), 
or 
(2651, 6701) = b(9954, 8879) (mod 11027) 


can get the key abP = (3432, 1094) (mod 11027). 


5.2.4 Elliptic Curve Massey-Omura 


Recall that the Massey-Omura cryptographic scheme is a three-pass protocol for 
sending messages, allowing Alice to securely send a message to Bob without the 
need to exchange or distribute encryption keys. Let E be an elliptic curve over 
IF, with g a prime power, and M = P ¢€ E(I,) the original message point. Then 
the elliptic curve analog of the Massey-Omura cryptosystem may be described as 
follows (see also Figure 5.3). 

M€E.(F,), 

|E(F,)| =N 

Alice generates (e4, d4) such that e,d, = 1 (mod N) and sends e, to Bob 

Bob generates (eg, dg) such that egdg = | (mod N) and sends eg to Alice 
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Alice 


e4P (mod gq) eaepP (mod gq) 
es es 


P Bob Alice 


eaepdaP (mod q) 


Bob 


eaepdadgpP (mod q) 


Bob 


Figure 5.3 The elliptic curve Massey-Omura cryptography 


[1] Alice and Bob publicly choose an elliptic curve E over F, with g = p’, a large 
prime power; as usual, we assume g = p and we suppose also that the number 
of points on E\F, (denoted by NV) is publicly known. 

[2] Alice chooses a secret pair of numbers (e4, da) such that d4e, = | (mod N). 
Similarly, Bob chooses (eg, dg) such that dgeg = | (mod N). 

[3] If Alice wants to send a secret message-point P € E to Bob, then the procedure 
should be as follows: 


Alice sends e,P mod gq to Bob, 

Bob sends ege,P mod gq to Alice, 

Alice sends d4eze,P mod g = egP to Bob, 

Bob computes dgegP = P and hence recovers the original message 
point. 


Note that an eavesdropper would know e,P, ege,P, and egP. So if he could solve 
the elliptic curve discrete logarithm problem on E, he could determine eg from the 
first two points and then compute dg = e,' mod q and hence get P = dp(egP). 


Example 5.6. We follow closely the steps in the above discussed elliptic curve 
Massey-Omura cryptography. Let 


p = 13, 

E\Fi3: y? =x + 4x + 4 (mod 13), 
|E(Fis)| = 15, 

M = (12,8)), 

(e4,da) = (7, 13) (mod 15), 

(eg, dg) = (2,8) (mod 15). 
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Then 
eaM = 7(12, 8) (mod 13) 
= (1, 10) (mod 13), 
eaepM = eg(1, 10) (mod 13) 
= 2(1, 10) (mod 13) 
= (12,5) (mod 13), 
enepdaM = d,(12,5) (mod 13) 
13(12, 5) (mod 13) 
= (6, 6) (mod 13), 
eaepdadgM = dz(6, 6) (mod 13) 
= 8(6, 6) (mod 13) 
(12,8) (mod 13). 
1 
M. 


Example 5.7. Let 
p= 13, 
E\Fi3: y =x +x (mod 13), 
|E(F13)| = 20, 
M = (11,9), 
(ea, da) = (3,7) (mod 20), 
(eg, dg) = (13, 17) (mod 20). 
Then 
eaM = 3(11, 9) (mod 13) 
= (7,5) (mod 13), 
eaepM = ep(7,5) (mod 13) 
= 13(7,5) (mod 13) 
= (11,4) (mod 13), 
enepdaM = d,(11, 4) (mod 13) 
= 17(11, 4) (mod 13) 
= (7,5) (mod 13), 
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Alice chooses a Bob chooses 6 


(E, P,q) public 
Alice aP mod q _| Bob 
(bP, M + b(aP)) mod q 
Mt 


_ 


M = M + W(aP) - a(bP) (mod q) 


Figure 5.4 Elliptic curve ElGamal cryptography 


exegdadgM = dg(7,5) (mod 13) 

17(7, 5) (mod 13) 

(11,9) (mod 13). 
a 

M. 


5.2.5 Elliptic Curve ElGamal 


Just the same as many other public-key cryptosystems, the famous ElGamal 
cryptosystem also has a very straightforward elliptic curve analog, which may be 
described as follows (see also Figure 5.4). 


[1] Suppose Bob wishes to send a secret message to Alice: 


secrete message 


Bob —————-> Alice. 


Alice and Bob publicly choose an elliptic curve E over F, with q = p’ a prime 
power, and a random base point P € E. Suppose they also know the number of 
points on E£, i.e., they know |E(F,)| = N. 

[2] Alice chooses a random integer a, computes aP mod g and sends it to Bob. 


aay 


foe) 


5 Quantum Computing for Elliptic Curve Discrete Logarithms 


Encryption: Bob chooses at random an integer b and computes bP mod gq. 
Bob also computes (M + b(aP)) mod qg. Then Bob sends the secret encrypted 
message (bP, M + b(aP)) mod g to Alice. 

Decryption: Since Alice has the secret key a, she can compute a(bP) mod q 
and get 


M = (M + a(bP) — b(aP)) (mod gq), 


the original plaintext message. 
Cryptanalysis: Eve, the eavesdropper, can only get M if she can solve the 
Elliptic Curve Discrete Logarithm Problem. That is, she can get M if she can 
find a from aP mod gq or b from bP mod gq. But as everybody knows, there is no 
efficient way to compute the elliptic curve discrete logarithms, so the ElGamal 
cryptosystem system is secure. 


Example 5.8. Suppose Bob wishes to send Alice a secret message M by using the 
elliptic curve ElGamal cryptographic scheme. 


[1] Set-up; 


E\Fy9: y? = x° —x+ 16 (mod 29), 
N = |E(Fo9)| = 31, 

P= (5,7) € E(Fy9), 

M = (28,25). 


[2] Public-key generation: Assume Bob sends the secret message M to Alice, so 


Alice: 
chooses a random secret integer a = 23, 
computes aP = 23P = (21, 18) (mod 29), 
sends aP = (21, 18) (mod 29) to Bob. 


[3] Encryption: Bob 


chooses a random secret integer b = 25, 
computes bP = 25P = (13, 24) (mod 29), 
b(aP) = 17(23P) = 17(21, 18) = (1, 25) (mod 29), 
M + b(aP) = (28,25) + (1, 25) = (0, 4) (mod 29), 
sends (bP = (1,25), M + b(aP) = (0, 4)) to Alice. 


[4] Decryption: Alice computes 


a(bP) = 23(25P) = 23(13, 24) = (1,25), 
M = M + D(aP) — a(bP) 
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= (0,4) — (1,25) 
= (0,4) + (1, —25) 
= (28,25). 


So, Alice recovers the original secret message M = (28, 25). 


Example 5.9. Now we give one more example on elliptic curve ElGamal 
cryptosystem. 


[1] Set-up; 
E\F53: y? = x° + 22x + 153 (mod 523), 
P = (167, 118) € E(Fs93), 
M = (220, 287) is the plaintext. 


[2] Public-key generation: Assume Bob sends the secret message M to Alice, so 
Alice: 


chooses a random secret integer a = 97, 
computes aP = 97(167, 118) = (167, 405) (mod 523), 
sends aP = (167, 405) (mod 523) to Bob. 
[3] Encryption: Bob 
chooses a random secret integer b = 263, 
computes bP = 263(167, 118) = (5,503) (mod 523), 
b(aP) = 263(167, 405) = (5, 20) (mod 523), 
M + b(aP) = (220, 287) + (5, 20) 
= (36, 158) (mod 523), 
sends (bP = (5,503), M+ b(aP) = (36, 158)) to Alice. 
[4] Decryption: Alice computes 
a(bP) = 97(5, 503) = (5, 20), 
M = M + b(aP) — a(bP) 
= (36, 158) — (5, 20) 
= (36, 158) + (5, 503) 
= (220, 287). 
So, Alice recovers the original secret message M = (220, 287). 


The above are some elliptic curve analogues of certain public-key cryptosystems. 
It should be noted that almost every public-key cryptosystem has an elliptic curve 
analogue; it is of course possible to develop new elliptic curve cryptosystems which 
do not rely on the existing cryptosystems. 
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It should be also noted that the digital signature schemes can also be analogued 
by elliptic curves over F, or over Z/nZ with n = pq and p,q € Primes in exactly 
the same way as that for public-key cryptography; several elliptic curve analogues 
of digital signature schemes have already been proposed, say, e.g., [46]. 


5.2.6 Menezes-Vanstone ECC 


A serious problem with all above mentioned elliptic curve cryptosystems is that the 
plaintext message units m lie on the elliptic curve E, and there is no convenient 
method known of deterministically generating such points on E. Fortunately, 
Menezes and Vanstone had discovered a more efficient variation [42]; in this 
variation which we shall describe below, the elliptic curve is used for “masking”, 
and the plaintext and cipher-text pairs are allowed to be in FF x Fe rather than on 
the elliptic curve. 


[1] Key generation: Alice and Bob publicly choose an elliptic curve E over F,, with 
p > 3 is prime and a random base point P € E(F,) such that P generates a 
large subgroup H of E(IF,), preferably of the same size as that of E(IF,) itself. 
Assume that randomly chosen k € Z)q) and a € N are secret. 

Encryption: Suppose now Alice wants to sent message 


S 


m = (m,,m2) € (Z/pZ)* x (Z/pZ)* 


to Bob, then she does the following: 


[2-1] 6 = aP, where P and f are public; 

[2-2] (v1, y2) = kB; 

[2-3] co = kP; 

[2-4] cj = yjm; (mod p) for j = 1, 2; 

[2-5] Alice sends the encrypted message c of m to Bob: 


c = (Co, C1, C2). 


oa 
Ww 
[aay 


Decryption: Upon receiving Alice’s encrypted message c, Bob calculates the 
following to recover m: 


[3-1] aco = (y1, y2); 

[3-2] m= (ciy,! (mod p), coy! (mod p)). 
Example 5.10. The following is a nice example of Menezes-Vanstone cryptosys- 
tem [48]. 


[1] Key generation: Let E be the elliptic curve given by y? = x° + 4x + 4 over Fy3, 
and P = (1,3) bea point on E. Choose E(F\3) = H which is cyclic of order 15, 
generated by P. Let also the private keys k = 5 and a = 2, and the plain-text 
m = (12,7) = (m, mp). 
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[2] Encryption: Alice computes: 
B = aP = 2(1,3) = (12,8), 
(1,92) = kB = 5(12,8) = (10, 11), 
co = kP = 5(1,3) = (10, 2), 
c) = yym, = 10-2 = 3 (mod 13), 
C2 = yom) = 11-7 = 12 (mod 13). 
Then Alice sends 


c = (Co, ¢€1,€2) = ((10, 2), 3, 12) 


to Bob. 
[3] Decryption: Upon receiving Alice’s message, Bob computes: 


aco = 2(10, 2) = (10,11) = (1, y2), 
m, = c\y;| = 12 (mod 13), 
m = Cry! = 7 (mod 13). 


Thus, Bob recovers the message m = (12,7). 


5.2.7 Elliptic Curve DSA 


We have already noted that almost every public-key cryptosystem has an elliptic 
curve analogue. It should also be noted that digital signature schemes can also 
be represented by elliptic curves over F, with g a prime power or over Z/nZ 
with n = pq and p,q € Primes. In exactly the same way as that for public-key 
cryptography, several elliptic curve analogues of digital signature schemes have 
already been proposed (see, for example, Meyer and Miiller [46]). In what follows 
we Shall describe an elliptic curve analogue of the DSA/DSS, called ECDSA [27]. 


Algorithm 5.4 (Elliptic Curve Digital Signature Algorithm). Let E be an 
elliptic curve over F, with p prime, and let P be a point of prime order g 
(note that the g here is just a prime number, not a prime power) in E(F,). 
Suppose Alice wishes to send a signed message to Bob. 


[1] [ECDSA key generation] Alice does the following: 


[1-1] select a random integer x € [1, g—l], 
[1-2] compute O = xP, 
[1-3] make Q public, but keep x as a secret. 


Now Alice has generated the public key Q and the private key x. 
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[2] [ECDSA signature generation] To sign a message m, Alice does the 
following: 


[2-1] select a random integer k € [1, g—1], 

[2-2] compute kP = (x,y), and r = x, (mod gq). If r = 0, go to step 
[2-1], 

[2-3] compute k~! mod gq, 

[2-4] compute s = k~!(H(m) + xr) (mod q), where H(m) is the hash 
value of the message. If s = 0, go to step [2-1]. 


The signature for the message m is the pair of integers (r,s). 
[ECDSA signature verification] To verify Alice’s signature (r,s) of the 
message m, Bob should do the following: 


[3 


= 


[3-1] obtain an authenticated copy of Alice’s public key Q, 

[3-2] verify that (r,s) are integers in the interval [1, g — 1], computes 
kP = (x1, y,), and r = x; (mod q), 

[8-3] compute w = s~! (mod q) and H(m), 

[3-4] compute uw; = H(m)w (mod qg) and uz = rw (mod gq), 

[3-5] compute w,P + u.Q = (xo, yo) and v = xp (mod gq), 

[3-6] accept the signature if and only if v = r. 


As a conclusion to Elliptic Curve Cryptography, we provide two remarks about 
the comparison of ECC and other types of cryptography, particularly the famous 
and widely used RSA cryptography. 


Remark 5.1. ECC provides a high level of security using smaller keys than that used 
in RSA. A comparison between the key sizes for an equivalent level of security for 
RSA and ECC is given in the following Table 5.4. 


Remark 5.2. Just the same that there are weak keys for RSA, there are also weak 
keys for ECC, say, for example, as an acceptable elliptic curve for cryptography, it 
must satisfy the following conditions: 


1. If N is the number of integer coordinates, it must be divisible by a large prime r 
such that N = kr for some integer k. 

2. It the curve has order r modulo p, then r must not be divisible by p' — 1 for a 
small set of i, say, 0 < i < 20. 

3. Let N be the number of integer coordinates and E(F,,), then N must not equal to 
p. The curve that satisfies the condition p = N is called the anomalous curve. 


Table 5.4 Key size comparison 


between RSA and ECC 

Security level | RSA ECC 
Low 512 bits 112 bits 
Medium 1024 bits 161 bits 
High 3027 bits 256 bits 


Very high 15,360 bits | 512 bits 
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Problems for Section 5.2 


1. Describe the advantages of Elliptic Curve Cryptography (ECC) over integer 
factoring based and discrete logarithm based cryptography. 
2. Give the complexity measures for the fastest known general algorithms for 


(1) Integer Factorization Problem (IFP). 
(2) Discrete Logarithm Problem (DLP). 
(3) Elliptic Curve Discrete Logarithm Problem (ECDLP). 


3. Give the complexity measures for 


(1) Integer Factorization Problem (IFP) based cryptosytems. 
(2) Discrete Logarithm Problem (DLP) based cryptosytems. 
(3) Elliptic Curve Discrete Logarithm Problem (ECDLP) based cryptosytems. 


4. The exponential cipher, invented by Pohlig and Hellman in 1978 and based 
on the mod p arithmetic, is a secret-key cryptosystem, but it is very close to 
the RSA public-key cryptosystem based on mod n arithmetic, where n = pq 
with p,q prime numbers. In essence, the Pohlig-Hellman cryptosystem works 
as follows: 


[1] Choose a large prime number p and the encryption key k such that 0 < k < 
p and gcd(k, p— 1) = 1. 

[2] Compute the decryption key k’ such that k -k’ = 1 (mod p — 1). 

[3] Encryption: C = M* (mod p). 

[4] Decryption: M = C* (mod p). 


Clearly, if you change the modulo p to modulo n = pq, then the Pohlig-Hellman 
cryptosystem is just the RSA cryptosystem. 


(1) Design an elliptic curve analog of the Pohlig-Hellman cryptosystem. 
(2) Explain why the original Pohlig-Hellman cryptosystem is easy to break 
whereas the elliptic curve Pohlig-Hellman cryptosystem is hard to break. 


5. Koyama et al. [37] proposed three trap-door one-way functions; one of the 
functions claimed to be applicable to zero-knowledge identification protocols. 
Give an implementation of the elliptic curve trap-door one-way function to the 
zero-knowledge identification protocol. 

6. Suppose that Alice and Bob want to establish a secret key for future encryption 
in ECDHM key-exchange. Both Alice and Bob perform as follows: 


; E: y2=x°—4 (mod 211), P=(0,—4)€E 
Alice <---> Bob 


| | 
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Chooses a secretly Chooses b secretly 


Computes aP (mod 211) Computes bP (mod 211) 


| | 


aP mod 211 
— 
bP mod 211 
_— 
a(bP) (mod 211) b(aP) (mod 211) 


/ 


abP (mod 211) 


Find the actual values for 


(1) aP mod 211. 
(2) bP mod 211. 
(3) abP mod 211. 
(4) baP mod 211. 


Verify abP = baP (mod 211). 
7. Let the elliptic curve analog of a DHM scheme be as follows. 


E\F i027: y? = + 4601x + 548, 
P = (2651, 6701) € E(Fi1027), 


Alice Bob 
a b 


aP mod 11027=(177,8610) 
ee 
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bP mod 11027=(1055,2617) 
Sa 


| | 


bP mod 11027 = (1055, 2617) aP mod 11027 = (177, 8610) 


| | 


a(bP) mod 11027 = (9089, 10631) b(aP) mod 11027 = (9089, 10631) 


| | 
\ i 


k = (3432, 1094) 


(1) Find the discrete logarithm a such that 
aP mod 11027 = (177, 8610). 
(2) Find the discrete logarithm b such that 
bP mod 11027 = (1055, 2617). 
8. Consider the elliptic curve E 
BE: y=x4+x-3 


over the field Fj99. Let M = (1, 76) € E(Fj99) and (e4, eg) = (23,71). 


(1) Find the number of points, NV, in E(Fj99). 
(2) Find 


e,P mod q, 
e4epM mod gq. 


(3) Find 
exepd,aM mod q; 
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10. 


11. 


5 Quantum Computing for Elliptic Curve Discrete Logarithms 


eaepdadgM mod q. 
(4) Check if enepdadgM mod q= P? 


. Consider the elliptic curve E 


E: y =x 4+ 1441x4611 


over the field Fy59). Let P = (1619, 2103) € E(Fos01), (e4, eg) = (107, 257). 


(1) Find the number of points, NV, in E(F359)). 
(2) Find 

eaP mod q, 

e,(egM) mod gq. 


(3) Find 
da(eaes)M mod gq, 
dp(daeaepM) mod q. 
(4) Check if e,egd,4dgP mod gq = M? 
Let p be a 200-digit prime number as follows: 


P = 10000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000153. 


Let the elliptic curve over FF, be as follows: 
E\F,: y’ =x + 105x + 78153 (mod p), 


with a point order: 


N = 10000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000 
06789750288004224 1 180803 1436546027764 1928049641888 
39991591392960032210630561760029050858613689631753. 


a 
CA 
1 


&B 


mod N. 
mod N. 


(1) Let eg = 179, compute dy 


(2) Let eg = 983, compute dg = 
Let p be a prime number 


P = 12345678901234567890123456789065483337452508596673 
7125236501. 


Let also the elliptic curve over IF, be as follows: 
ysxet 


5.2 


12. 
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11250791352862361083761388550368223069886888357259968 1384335x 
—11250791352862361083761388550368223069886888357259968 1384335 
(mod p). 

with order |E(F,,)| = N as follows: 


12345678901234567890 1234567890 123456789012345678901234568197. 


Suppose 
(7642989232975292895356351754903278029804860223284406315749, 
100181741322448 10544452087 1614464053 169400529776945655771441) 
is the plaintext point M, and Alice wishes to send M to Bob. 

Assume 


ea = 3, 

da = 82304526008230452600823045260082304526008230452600823045465, 

ep =7, 

dg = 17636684144620811271604938270017636684 1446208 1 1271604938314, 
all modulo p. Compute: 


(1) e4M mod p. 

(2) eg(e,M) mod p. 

(3) da (epe,M) mod Dp. 

(4) dp(daepeaM) mod p- 

(5) Check if dp(dyepeaM) mod p = M? 

Suppose that Alice wants to send Bob a secret massage M = (10,9) using 
elliptic curve ElGamal cryptography. Both Alice and Bob perform as follows: 


.  E: y=x34x+6 (mod 11), P=(2,7)€E 
Alice <——_____"+ Bob 


| | 


Chooses a = 3 secretly Chooses b = 7 secretly 


Computes aP (mod 11) Computes bP (mod 11) 
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13. 
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bP mod 11 
—____- 


{aP, M-+a(bP)} mod 11 
ne 


| 


M = M + a(bP) — b(aP) (mod 11) 


Compute the actual values for 


(1) aP mod 11. 

(2) bP mod 11. 

(3) b(aP) mod 11. 

(4) a(bP) mod 11. 

(5) (M+ a(bP)) mod 11. 

(6) (M + a(bP) — b(aP)) mod 11. 


Check if (M + a(bP) — b(aP)) mod 11 = (10, 9)? 

Suppose that Alice wants to send Bob a secret massage M = (562, 201) 
in elliptic curve ElGamal cryptography. Both Alice and Bob performs the 
following: 


E: y?=x3—x+188 (mod 751), P=(0,376)€E 
Ne SS Bob 
Chooses a = 386 secretly Chooses b = 517 secretly 
Computes aP (mod 751) Computes bP(mod 751) 
bP mod 751 


{aP, M+a(bP)} mod 751 
nS 


| 


M = M +a(bP) — b(aP) (mod 751) 


Compute the actual values for 
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(1) aP mod 751. 

(2) bP mod 751. 

(3) a(bP) mod 751. 

(4) b(aP) mod 751. 

(5) (M+ a(bP)) mod 751. 

(6) (M + a(bP) — b(aP)) mod 751. 


Check if (M + a(bP) — b(aP)) mod 751 = (562,201)? 

14. Suppose that Alice wants to send Bob a secret massage M = (316,521) 
in elliptic curve ElGamal cryptography. Both Alice and Bob performs the 
following: 


. _E: y?=x3+6x-+167 (mod 547), P=(61,440)€E 
Alice <---> Bob 


| | 


Chooses a secretly Chooses b secretly 
Computes aP (mod 547) Computes bP(mod 547) 
= (483,59) = (168, 341) 


bP mod 547= (168,341) 


{aP, M-+a(bP)} mod 547={(483,59),(49,178)} 


| 


M = M + a(bP) — b(aP) (mod 547) 
= (49, 178) + (143, —443) (mod 547) 
= (316,521) (mod 547). 


Find 


(1) asuch that aP mod 547 = (483, 59). 
(2) b such that bP mod 547 = (168, 341). 
(3) a(bP) mod 547. 

(4) b(aP) mod 547. 

(5) Check if a(bP) = b(aP) (mod 547)? 
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15. Let E\Fom be the elliptic curve E over Fy with m > 1, where E is defined be 
y+tuy=etart+b. 


(1) Let P,Q € E with P 4 +Q are two points on E. Find the addition formula 
for computing P + Q. 

(2) Let P € E with P ~ —P. Find the addition formula for computing 2P. 

(3) Let E\Fom be as follows: 


E\Fy: y? =x + ax + 1 (mod 2*). 


Find all the points, E(F 4), including the point at infinity, on the E. 
(4) Let P = (a@°, a8) and Q = (a3, a!) be in E\F>s defined above, find P + Q 
and 2P. 


16. Show that breaking ECC or any ECDLP-base cryptography is generally 
equivalent to solving the ECDLP problem. 


5.3. Quantum Algorithms for Elliptic Curve Discrete 
Logarithms 


5.3.1 Basic Idea for Quantum Attacking on 
ECDLP/ECDLP-Based Cryptography 


Shor’s quantum algorithms for discrete logarithms can be used to solve the elliptic 
curve discrete logarithms in BOP. 


can be used to construct 


ECDLP ECDLP-Based Cryptography 
Infeasible Secure 
(Hard) (Unbreakable) 


\ / 


Efficient Quantum Attacks 
on both ECDLP and ECDLP-Based Cryptography 


Surprisingly, 
Quantum Period Finding Algorithm 
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Quantum ECDLP Algorithm 


Quantum Attacks on ECDLP-Based Cryptography 

As we mentioned earlier, the DLP problem is just the inverse problem-finding 
the multiplicative inverse in Z*. Remarkably enough, the ECDLP problem is also an 
inverse problem-finding the additive inverse in E(F’,). More importantly, the method 
for solving such an inverse problem is till the Euclid’s algorithm, but an elliptic 
curve version of the old Euclid’s and efficient algorithm. Let us first review how 
Euclid’s algorithm can be used to solve (x, y) in the following congruence: 

ax — by = 1. 

To be more specific, we show how to use the Euclid’s algorithm to find x, y in 


7x — 26y = 1. 


which is equivalent to find x in 


= x (mod 26). 


oe el 


26=7-34+5 35=26-7:3 
T2512 29] 75s 
ee as ee ee eee 
=§=2(7-—5:1) 
=3-5-2-7 
= 3-(26—7-3)—2-7 
=3-26-7-11 
= 7(-11) — 26(—3) 


So, we find 


(x,y) = (-11, -3). 


The quantum algorithms, say e.g., the Proos-Zalka’s algorithm [51] and Eicherfor- 
Opoku’s algorithm [15] for ECDLP, aim at finding (a, b) in 


aP +bQ = 1. 
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Recall that the ECDLP problem asks to find r such that 

Q = PP, 
where P is a point of order m on an elliptic curve over a finite field F,, Q € G and 
G = (P). A way to find r is to find distinct pairs (a’, b’) and (a’, b”) of integers 


modulo r such that 


dP +b! =a'P+b"0. 


Then 
(a me a")P _ (b” a b’)Q, 
that is, 
a’ —a’ 
Q = b’ — pb’ P, 
or alternatively, 
a — a’ 
r= yap (mod m). 


The computation to find say e.g., aP can be done efficiently as follows. Let 
€p—1€g—2°*+€ 1e0 be the binary representation of a. Then for i starting from eg— 
down to éo (ég—1 is always 1 and used for initialization), check whether or not 
e; = 1. Ife; = 1, then perform a doubling and an addition group operation; 
otherwise, just perform a doubling operation. For example, to compute 89P, since 
89 = 1011001, we have: 

The following algorithm implements this idea of repeated doubling and addition for 
computing kP. 


@ oil P initialization 

es O 2P doubling 

eg 1 2(2P) +P doubling and addition 
e 1 2(2(2P) + P) +P doubling and addition 
e 0 2(2(2(2P) + P) + P) doubling 

ey O 2(2(2(2(2P) + P) + P)) doubling 

eo | 2(2(202(2(22P)+ P)+P)))+P doubling and addition 


| 
89P 
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Algorithm 5.5 (Fast Group Operations kP on Elliptic Curves). This algorithm 
computes aP, where a is a large integer and P is assumed to be a point on 
an elliptic curve E: y? =x> + ax+b. 


[1] Write a in the binary expansion form a = eg_,eg-2 ++ e,e9, where each e; 
is either 1 or 0. (Assume a has 6 bits.) 

[2] Setc <0. 

[3] Compute aP: 


for i from 6 — 1 down to 0 do 
c < 2c (doubling); 
ife; = 1 then c <—c + P; (addition) 
[4] Print c; (now c = aP) 


Note that Algorithm 5.5 does not actually calculate the coordinates (x, y) of kP 
on an elliptic curve 


E\F,: y> =x +. ax +b (mod p). 


To make Algorithm 5.5 a practically useful algorithm for point additions on an 
elliptic curve E, we must incorporate the actual coordinate addition P3(x3, y3) = 
Pi(x1,y1) + P2(2, y2) on E into the algorithm. To do this, we use the following 
formulas to compute x3 and y3 for P3: 


(x3, 3) = (A? =x) — x2, AQ — 43) — 1), 


where 
3 2 
OES tp Py 
i= 2y\ 
iin a otherwise. 
X2— X| 


For curves of the form 
E\Fy: y? +xy =x + ax+4+ b (mod 2”), 
if P; # Po, then 
(x3, y3) = (A7 FA 441 tx +4, AC +03) +23 +91), 


where 


yi t+ yo 


X, + Xo 
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If P; = P>, then 
(x3,y3) = (A7 +A +a, a + Ax3 + x3), 
where 
(a. 
Xx) 


Also for curves of the form 
E\Fon: y’? +cy =x + ax +b (mod 2”), 
if P; # Po, then 


(x3, y3) = (A? +41 +22, AG +43) +y1 +0), 


where 
ya)! ee 
x1 +x 
If P; = P>, then 
(x3, 3) = (A*, AQ +33) +y1 +0), 
where 
Le ca +a 
= 


In what follows, we shall mainly introduce three types of the quantum attacks on 
ECDLP/ECC: 


1. Eicher-Opoku’s Quantum Attack on ECDLP. 
2. Proos-Zalka’s Quantum Attack on ECDLP. 
3. CMMP Quantum Attack on Elliptic Curve Cryptography. 


5.3.2. Eicher-Opoku’s Quantum Algorithm for ECDLP 


It is quite straightforward to use Shor’s quantum algorithm for DLP [54], discussed 
in the previous chapter, to solve ECDLP in BOP. The following is a modified 
version of Shor’s algorithm to solve the ECDLP problem over F,, with p prime (we 
assume that N is the order of the point P in E(F,,)), based on Eicher and Opoku [15]. 
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Algorithm 5.6 (Eicher-Opoku’s Quantum Algorithm for ECDLP). The quan- 
tum algorithm tries to find 


r = logp Q (mod p) 
such that 
Q =rP (mod p), 


where P, QO € E(F,), and N is the is the order of the point P in E(F,). 


[1] Initialize three required quantum registers as follows: 
|Y) =|0, O, O), 


where © denotes the point at infinity, as defined in the elliptic curve group 
E(f,). 

[2] Choose gq with p < q < 2p. 

[3] Put in the first two registers of the quantum computer the uniform 
superposition of all |a@) and |b) (mod p), and compute aP + bQ (mod p) 
in the third register. This leaves the quantum computer in the state | YW): 


|W) = 


ais 


i ah? 


l-g= 
aT |a, b, aP + bQ (mod p)) 
0 b=0 


Note that aP + bQ (mod p) can be done efficiently by classical doubling- 
addition method [73]. 
Use the Fourier transform A, to map |a) — |c) and |b) — |d) with 
probability amplitude 


[4 


“4 


1 220i 
— exp | — (ac+bd)). 
q q 
Thus, the state | a, b) will be changed to the state: 


q—-1 q-1 


Los exp (7 (ac + bd) le dy. 


Ce 


1 

q 

This leaves the machine in the state | ¥): 
q-l ql 


v4) ee s- > exp (= (ac + ba) bo d, aP + bQ (mod p)). 


a,b=0 c,d=0 
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[5] Observe the state of the quantum computer and extract the required 
information. The probability of observing a state |c, d, kP (mod p)) is 


2 


Prob(c, d, kP) = ; 3s exp (= (ac + bd)) (5.3) 


a,b 
a—rb = k (mod p—1) 
where the sum is over all (a, b) such that 
aP+ bQ = kP (mod p). 


[6 


= 


Just the same as the quantum algorithm for the DLP problem, use the 
relation 


(5.4) 


a=rb+k-p-1)] FI, 


p-1 
to substitute in (5.3) to get the amplitude on | c,d, kP (mod p)): 


p-l 


= ae exp (= ‘(re kc + bd — c(p — 1) |) . (5.5) 


This leaves finally the machine in the state | 3): 


p-l 


: exp (= “(bre + ke + bd ep - 1] “** |) 
qm p= 


| c,d, KP (mod p)) . (5.6) 


The probability of observing the above state | c,d, kP (mod p)) is thus: 


2 
1 2Qni br+k 
— exp (22 (ore + ke + bd ot — 1) ils \)) : (5.7) 
q 7 q p-l 


Since exp(2zikc/q) does not change the probability, (5.5) can be rewrite 
algebraically as follows: 


, (5.8) 


where 
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r 


p-1 


v= (SED 


The notation {a}, here denotes a mod g with —q/2 < {a}, < q/2. 
[7] Finally, deduce r from (c,d). Let j be the closest integer to T/qg and b € 
[0, p — 2], then 


T=rce+d-— 


{cP)}q> 


[Pha] = bre + d— "tepid $5. 
Further, if 
Kell S 
then 
Wea 


Therefore, given (c,d), r can be easily calculated with a high probability. 


Remark 5.3. Eicher and Opoku also showed in [15] an example of using the 
algorithm to break a particular elliptic curve Massey-Omurra cryptographic system. 
More specifically, assume that 


E\F,s : y? +y =x (mod 33), 
F,s = {0,1,w,@?,w,..., 9} 
N = |Fys| = 33, 
P= te al 


€aPm = {w?, w'4}, 


> 


erepPm = {w”, wt, 
eaepdaP mn => epPn => {a!8 wh. 

They then give a demonstration of how to use the quantum algorithm to find e,, since 
once e, can be found, dg = le (mod 33) can be found, therefore, P, = daeaPn, 
the original message point, can be found. 
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5.3.3. Proos-Zalka’s Quantum Algorithm for ECDLP 


Proos and Zalka [51] proposed a quantum algorithm for solving the ECDLP problem 
over the finite field F, with p prime (not equally important to that over the finite field 
Fm or other finite fields). Their experience showed that a smaller quantum computer 
can break an ECDLP-based cryptographic system with the same level of security 
of an IFP-based cryptographic system that would need a large computer. More 
specifically, A 160-bit ECC key could be broken on a quantum computer with about 
1000 qubits whereas factoring the security equivalent 1024-bit RSA modulus would 
need about 2000 qubits. This means that in classical computation, ECC provides a 
high level of security using smaller keys than that used in RSA, say for example, 
for the same level of security, if a RSA key is about 15,360 bits, an ECC key would 
only need 512 bits . However, in quantum computation, the situation is completely 
opposite, ECDLP-based cryptography is easy to break than IFP-based cryptography. 

In Proos-Zalka’s modification of Shor’s DLP quantum algorithm, they first 
replace the quantum Fourier transform A, with Ay with g ~ 2”, for the easy 
implementation purpose as follows. 


| %) 


] 
S 
S 
= 


gn-l gn-l 


= =e b, aP + bQ) 


a=0 b=0 


where 
aP +bQ =) bP + )_ dO 
with 
a= a2, 
b= > bj2', 
Pra 2'P, 


0; = 2'Q 
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can be performed efficient by classical Algorithm 5.5. However, in their imple- 
mentation, Proos and Zalka have made some interesting modifications over Shor’s 
original algorithm, as follows. 


1. Eliminate the input registers | a,b). Only one accumulator register is needed for 
adding a fixed point P; (with respect to Q;) to a superposition of points (called 
group shift), and two unitary transforms Up, and Ug, which acts on any basis 
state |S) representing a point on E are needed: 


Wes 


i 


|S) > |S+P;) and Ug,: |S) >|S+Q)). 


2. Decompose the group shift. The ECDLP can be decomposed into a sequence of 
group shifts by constant classically known elements: 


U,: |S) —>|S+A) S,A EE, Ais fixed. 
In term of the coordinators (x, y) of the points on E, the group shift is: 
|S) =|(x,y)] > [S+A) =| (x,y) + @,B)) = |1%y)). 


So the formulas for the group addition may be as follows: 


= rd 
A = aad ie Sa x =A-—(«+4+ 2) 
x-a@ x -a 
xy <> x,A 
<> xa 
<— x,y 
xy <> x-a,y— 8 
— Pe ee a 
x—a@ 
fi 
<> fe ee ee 
x’ -a 


<— x,y 


where <—> denotes the reversible operation. 
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3. Decompose the divisions. The divisions of the form x,y <—> x,y/x may be 


decomposed into the following forms: 


Modular inverse 


x,y SSS = 1/x,y 


Multiplication 
fon 1/x, y, y/x 


Multiplicativeinverse 
————— YS 


Multiplication 


x, 0, y/x. 
4. Modular multiplication. The modular multiplication of the form 
x,y <> XY xy 
in 
| x,y) > |x, y,x+y mod p) 


may be decomposed into a sequence of modular additions and modular doublings 
as follows: 


n—1 


xy= So xi2iy 
i=0 


= xoy + 2(xiy + 2Qny + 2(xsy + ---))) (mod p) 
whereas the following series operations are performed in the third register: 
A <—> 2A 
<— 2A+xy (mod p), i=n—1,n—-2,...,0. 


5. Modular inverse. The modular inverse is the most difficult operation in the 
quantum implementation. However, this can be done efficiently on classical 
computers by Euclid’s algorithm. So, we suggest to use a classical computer, 
rather than a quantum computer to solve the problem, making quantum and 
classical computations complimentary. Readers who are interested in the detailed 
quantum implementation of the modular inverse should consult [51] for more 
information. 


Remark 5.4. The algorithm runs in time O(A*) and in space O(A) using roughly 
6A qubits, where A is the input length in bits. 
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Table 5.5 Comparison between quantum IFP and ECDLP algorithms 


Quantum IFP Quantum ECDLP Classical 
Qubits | Time Qubits | Time 
Xr 2A 4,3 A 7A 360A3 Time 


512 1024 |0.54-10° [110 | 700 |0.5-10° |c 
1024 | 2048 |4.3-10° |163 |1000 |1.6-10° |c 
2048 | 4096 [34-109 |224 |1300 |4.0-10° |c- 10" 
3072 | 6144 | 120-109 |256 | 1500 | 6.0-109 |c 
15360 | 30720 |1.5-103 |512 |2800 |50-10? |c 


Remark 5.5. One of the most important advantages of quantum algorithms for 
ECDLP over quantum IFP is that for breaking the same level of security crypto- 
graphic systems, namely RSA and ECC, quantum algorithms for ECDLP use less 
qubits than that for IFP, as given in Table 5.5. 


5.3.4 Optimized Quantum Algorithm on ECDLP/ECC 


As can be seen, the Proos-Zalka algorithm [51] is only applicable to the ECDLP over 
finite field F,,. However, in practice, elliptic curve cryptographic systems often use 
curves over the binary finite field Fy». So later on, Kaye and Zalka [31] extended the 
Proos-Zalka algorithm applicable for Fy». More specifically, they use the Euclid’s 
algorithm for polynomials to compute inverses in Fm. 

Remarkably enough, Cheung et al. [10] proposed a quantum algorithm for attack- 
ing the ECDLP/ECC over Fy» such as F255. More specifically, they improved an 
earlier algorithms by constructing an efficient quantum circuit (see e.g., Figure 5.5 
for a particular example) elements in binary finite fields and by representing elliptic 
curve points in projective coordinators. The depth of their circuit implementation is 
O(m?), while the previous bound is O(m?). 


Problems for Section 5.3 


1. Give a complete algorithmic description of the Kaye-Zalka quantum ECDLP 
algorithm [31] for E(Fam) . 

2. Give a complete complexity analysis of the attack given in [10] on ECDLP/ECC 
over E(Fom) . 

3. Design a quantum circuit to implement the Kaye-Zalka algorithm [31] for 
breaking ECDLP/ECC in E(F 2). 
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Figure 5.5 Fs multiplier with P(x) = x4 +x+ 1 


4. Van Meter and Itoh [64] developed a fast quantum modular exponentiation 
algorithm. Extend van Meter-Otoh’s quantum modular exponentiation algorithm 
to fast quantum elliptic curve group operation. 

5. Euclid’s algorithm is suitable to compute gcd for both integers and polynomials, 
and more importantly, it can be performed in polynomial-time even on a classical 
computer. What is the advantage to implement the quantum Euclid’s algorithm? 

6. The fastest known (classical) algorithm for solving the Elliptic Curve Discrete 
Logarithm Problem in F(IF,,) is Pollard’s p method, runs in O(,/p) steps. As 
the periodicity lives at the very heart of the o method, it might (or should) be 
possible to implement a quantum version of the » method for ECDLP. Thus, 
give, if possible, a quantum implementation of the p algorithm for ECDLP. 


5.4 Chapter Notes and Further Reading 


In the DLP problem, we aim to find the discrete logarithm k such that 
y = x" (mod p), 


where x, y, p are given and p prime, whereas in ECDLP. We aim to find the elliptic 
curve discrete logarithm k such that 


QO = kP (mod p), 


where P is a point of order r on the elliptic curve 
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E\F, : y =x +ax+b (mod p), 


QO € (P), p is a prime. From a group-theoretic point of view, the computation 
of DLP is basically in the multiplicative group Zs whereas the computation of 
ECDLP is mainly in the additive group E(Z,). Compared to DLP, the computation 
of ECDLP is more difficult that of DLP; the fastest general-purpose algorithm 
known for solving ECDLP is Pollard’s p method, which has full-exponential 
expected running time of /zr/2 = O(,/p). As for the same level of security, 
the key length of DCDLP-based cryptography is shorter than that of IFP or DLP 
based cryptography. Thus, ECDLP-based cryptography is more useful in wireless 
security, where the key size is limited. However, this advantage of ECDLP-based 
cryptography is actually a serious disadvantage against the quantum attacks, as for 
the same level of security, ECC is easy to break than e.g., RSA. In this chapter, same 
as the previous two chapters, the ECDLP problem and the classical solutions to the 
ECDLP problem are discussed, followed by an introduction to the ECDLP-based 
cryptographic systems. Finally, various quantum attacks on ECDLP and ECDLP- 
based cryptographic systems are discussed. 

The search for efficient classical solutions to ECDLP and ECDLP-based cryptog- 
raphy, and practical quantum attacks on ECDLP and ECDLP-based cryptography is 
one of the most active on-going research areas in mathematics, physics, computer 
science and cryptography. Readers who wish to know more about ECDLP and 
methods for solving ECDLP are suggested to consult, e.g., [3, 4, 6, 7, 11, 13, 16, 17, 
19, 21, 27, 28, 33, 34, 43, 57, 58, 67]. In particular, the Xedni calculus for ECDLP 
was proposed in [56] and analysed in [25]. 

The security of Elliptic Curve Cryptography and Elliptic Curve Digital Signature 
Algorithm, are based on the infeasibility of the Elliptic Curve Discrete Logarithm 
Problem. The idea to use elliptic curves, more specifically the Elliptic Curve 
Discrete Logarithm Problem as the basis to construct cryptographic systems were 
independently proposed by Miller [47] and Koblitz [32]. The following references 
provide more information on elliptic curves and elliptic curve (ECDLP-based) 
cryptography: [1-4, 9, 11, 13, 14, 19-22, 24, 33, 34, 36, 38, 39, 41, 44, 46, 48, 49, 
52, 53, 56-63, 65-67, 73, 74]. 

Related literatures on quantum attacks on ECDLP and ECDLP-based cryptogra- 
phy may be found in [8, 10, 15, 26, 30, 31, 50, 51, 54, 55, 71, 72]. 

For recent research progress on molecular DNA computation for ECDLP, readers 
are suggested to consult the following references and reference therein: [23, 29, 40]. 
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Chapter 6 
Miscellaneous Quantum Algorithms 


Any noun can be verbed. 


ALAN PERLIS (1922-1990) 
The First (1966) Turing Award Recipient 


So far, we have discussed classical and particularly quantum algorithms for integer 
factoring, discrete logarithms and elliptic curve discrete logarithms. This does not 
mean quantum algorithms can only be used to solve integer factorization problem, 
discrete logarithm problem and elliptic curve discrete logarithm problem. In fact, 
quantum algorithms and quantum computers in general can solve other problems 
with either superpolynomially (exponentially) speedup or polynomially speedup. In 
this last and short chapter, we shall discuss some various other quantum algorithms 
and methods for more number-theoretic problems. Unlike the previous chapters, 
we will not emphasize on the introduction of the details quantum algorithms for 
number-theoretic problems, rather we shall concentrated on new ideas and new 
developments in quantum algorithms for number-theoretic problems. 


6.1 Solving Pell’s Equation 


By solving Pell’s equation, we mean to find the positive integer solution (x, y) to 
any one of the following equations 


xr —dy = +1, 
ear = +c, 


where d is a positive square-free integer and c is a positive integer less than Jd. 
Mathematically speaking, the solution to Pell’s equation can be easily obtained in 
terms of the continued fraction of /d. In what follows, we present some theoretical 
results for solving Pell’s equation without proving (the complete proofs may be 
found in [53]). 
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Pell’s equation may be informally defined as follows. 


d, square free positive integer, 
Input : 
def C, positive integer less than Jd. 
PellEqn = 
(xo, Yo), smallest positive integer solution to 
Output: 
| x — dy = +e. 


In most cases, we consider the equation of the form 
xv —dy = +1, 
or simply just 
vr —dy=1. 


Theorem 6.1. Let a be an irrational number. If a/b is a rational number in lowest 
terms, where a and b are integers b > 0, such that 


< — 


‘| 1 
2b2’ 


je 
then a/b is a convergent of the simple continued fraction expansion of a. 


Theorem 6.2. Let a be an irrational number greater than I. The (k + 1)th 
convergent to 1/a is the reciprocal of the kth convergent to a, fork = 1,2,---. 
Theorem 6.3. Let d be a positive integer other than a perfect square. If (Xo, yo) is 
a positive integral solution of x* — dy? = +1, then xo = P, and yo = Qn, where — 
n 


is one of the convergents of Vd. 


Theorem 6.4. Let d be a positive integer other than a perfect square, and m the 
period of the expansion of Vd as a simple continued fraction. Then we have: 


1. mis even 


(1) The positive integer solutions of x* — dy” = | are 


X= Prn-1, 

y= Qkm-1, 
fork = 1,2,3,-++, with 

X= Ph-i, 


Y= QOm-1 ey 
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as the smallest positive integer solution. 
(2) The equation x* — dy? = —1 has no integer solution. 


2. mis odd 
(1) The positive integer solutions of x* — dy? = | are 
X= Prm-1, 
y= Qkm-1, 
fork =2,4,6,-++, with 
X = Pom-1, 
y= Qom-1, 


as the smallest positive integer solution. 
(2) The positive integer solutions of x* — dy? = —| are 


Xx = Pim-1, 
y= Qkn-1, 
fork = 1,3,5,-++, with 


X= Py-i, 


y= QOm-1 ey 


as the smallest positive integer solution. 


Example 6.1. Find the integer solutions of x* — 73y” = 1. Note first that 


J/73 = [8,1,1,5,5, 1, I, 16]. 


So the period m = 7 and of course m is odd. Thus, the equation is soluble and its 
smallest positive integral solution is 


x= Prm-1 = P7-1 = P43 = 2281249, 
Y= QOmm-1 = Q2.7-1 = Q13 = 267000. 


That is, 2281249? — 73 - 2670002 = 1. 
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Example 6.2. Find the integer solutions of x — 97y* = 1. Note first that 


/97 = [9, 1,5, 1, 1,1, 1,1, 1,5, 1, 18]. 


So the period m = 11 is odd. Thus, the equation is soluble and its smallest positive 
integral solution is 

x= Pom—1 = Po.41-1 = P1 = 62809633, 

Y = Qom—1 = Q2.11-1 = Qo1 = 6377352. 


That is, 628096337 — 97 - 6377352? = 1. 


Remark 6.1. Incidentally, the continued fraction for //d, with d not a perfect square, 
always has the form 


Vd = [40,91 2 Bo 1 Bs Ds Us 290]; 


as can be seen in Table 6.1. 


Table 6.1 Continued fractions for ./d with d < 50 and not perfect square 


72 = [1,2] V3 = [1, 1,2] 

V5 = [2,4] V6 = [22,4] 

V7 = (2,1,1,1,4] V8 = [2.1.4] 

10 = [3,6] Vil = [33,6] 

V12 = [3,2, 6] s/13 = [3, 1,1,1,1,6] 

V14 = [3, 1,2, 1, 6] V15 = [3, 1,6] 

J17 = [4,8] V18 = [4.4.8] 

V19 = [4,2, 1,3, 1,2, 8] /20 = (4,2, 8] 

J21 = [4,1,1,2, 1,1, 8] /22 = [4,1,2,4,2,1, 8] 
J/23 = [4, 1,3, 1,8] /24 = [4.1.8] 

/26 = [5, 10] V27 = [5.5, 10] 

/28 = [5,3.2, 3, 10] /29 = [5,2, 1, 1,2, 10] 
/30 = [5, 2, 10] V31 = [5,1,1,3,5,3, 1, I, 10 
/32 = [5, 1,1, 1, 10] /33 = [5, 1,2, 1, 10] 

/34 = [5,1,4, 1, 10] 735 = [5, 1, 10] 

V37 = (6, 12] 138 = [6.6, 12] 

/39 = [6,4, 12] /40 = [6, 3, 12] 

/41 = [6, 2,2, 12] V42 = [6,2, 12] 

V43 = (6, 1, 1,3, 1,5, 1,3, 1,1, 12] | 44 = [6.1,1,1,2,1,1, 1, 12] 
45 = [6, 1,2, 2,2, I, 12] /46 = (6, 1,3, 1, 1,2,6,2, 1, 1,3, 1, 12] 
/47 = [6, 1,5, 1, 12] V48 = [6. 1, 12] 

/50 = (7, 14] 
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Tables 6.2 and 6.3 show the smallest positive integer solutions (x,y) to Pell’s 
equations x7 — dy* = 1 and x* — Ny? = —1 for 1 < d < 100 (except the perfect 
squares), respectively. 

The following is actually a corollary of Theorem 6.4. 


Corollary 6.1. Let d be a positive integer other than a perfect square, m the period 


of the expansion of Vd as a simple continued fraction, and —, n = 1,2,+++ the 
n 


convergents to s/d. Then the complete set of all solutions, including positive and 
negative (if any) of Pell’s equation are: 


1. meven 


(1) x2 —dy? = 1: Fori=0,1,2,3,-:, 


Table 6.2. The smallest solution to x2 — dy? = 1 ford < 


100 
d |x y d x y 
2 3 2: 3 2 1 
5 4 6 5 2 
7 8 3 8 3 1 
10 19 6 | Il 10 3 
12 7 2 | 13 649 180 
14 15 4 | 15 4 1 
17 33 8 18 17 4 
19 170 39 | 20 9 2 
21 55 12 | 22 197 42 
23 24 5 | 24 5 1 
26 51 10 | 27 26 5 
28 127 24 | 29 9801 1820 
30 11 2 | 31 1520 273 
32 17 3 | 33 23 4 
34 35 6 | 35 6 1 
37 73 12 | 38 37 6 
39 25 4 | 40 19 3 
41 | 2049 | 320 | 42 13 2 
43 | 3482 | 531 | 44 199 30 
45 161 24 | 46 24335 3588 
47 48 7 | 48 7 1 
50 99 14 | 51 50 7 
52 649 90 | 53 66249 9100 
54 485 66 | 55 89 12 
56 15 2 «| 5ST 151 20 
58 | 19603 |2574 | 59 530 69 
60 31 4 | 61 |1766319049 | 226153980 


(continued) 
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Table 6.2 (continued) 


y d |x y 
63 8 (63 8 1 
129 16 66 65 8 
48842 5967 |68 33 4 
7715 936 |70 251 30 
3480 413 |72 17 2 
2281249 | 267000 |74 3699 430 
26 3 |76 57799 6630 
351 40 |78 53 6 
80 9 |80 9 1 
163 18 [83 82 9 
55 6 |85 285769 30996 
10405 1122 |87 28 3 
197 21 |89 500001 53000 
19 2 |91 1574 165 
1151 120 |93 12151 1260 
2143295 | 221064 |95 39 4 
49 5 |97 |62809633 | 6377352 
99 10 |99 10 1 


d x y d |x y 

2 2 1 /|10 3 1 
13 4 1 |26 5 1 
29 6 1/41 32 5 
50 182 | 25 |58 99 13 
61 8 1 |73 |1068 |125 
74 9 1 |85 | 378 | 41 
89 5604 |569 


x+yVd = £(Pm—1 + VdOm—1)'. 


(2) x* — dy? = —1: No solutions. 
2. m odd 
(1) x7 —dy =1: Fori=1,3,5,---, 


xtyVd = £(Py-1 + VdOn-1)!. 
(2) x* — dy? =—-1: Fori=0,2,4,-+, 


xt yVd = £(Pm—1 + VdQn-1). 
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The solutions to the more general equation 
x —dy’ =+c 


are also related to the continued fraction of Vd. It can be shown that every solution 
of such equation comes from some convergent in the continued fraction for /d. 

It is well-known that the continued fraction of /d can be computed by Euclid’s 
algorithm which can be executed in polynomial-time. However, the smallest positive 
(i.e., the fundamental) solution (xo, yo) to the equation, say. e.g., vr —dy =1 may 
have exponentially many bits in general in terms of the input size d, namely, log d. 
So, finding the fundamental solution using the continued fraction method, together 
with the aid of the Schénhage Strassen algorithm for fast integer multiplication 
cannot be done in polynomial-time [30]. Of course, a much faster method, namely, 
the quadratic sieve, but this is still not a polynomial-times algorithm as it runs 
in subexponential-time O(exp(logd log log d)!/) (see [46, 52]). To resolve this 
difficulty, the computational problem is recast as computing the integer closest to 
the regulator R = log(xp + yoVd), which identifies (xo, yo). In this representation, 
solutions of Pell’s equation are positive integer multiples of R. Hallgren [25] showed 
that a quantum computer can find the above representation for the solution to Pell’s 
equation in polynomial-time. That is, 


Theorem 6.5. There is a polynomial-time quantum algorithm that solves Pell’s 
equation. 


Remark 6.2. Hallgren’s algorithm for Pell’s equation, which can be interpreted as 
an algorithm for finding the group of units of a real quadratic number field, was 
later extended to more general fields by Schmidt and Vollmer [40]. 


Computing the unit group, computing the class number and class group and 
solving the principal ideal problems are the main problems of computational 
algebraic number theory [12]. Incidentally, all these problems can be solved in 
quantum polynomial-time. 


Theorem 6.6. All the following computational algebraic number-theoretic prob- 
lems: 


1. the unit group of a real quadratic number field, 

2. the principal ideal problem in real quadratic number fields, 

3. the class group of a real quadratic number field (assuming GRH), 
4. the class number of a real quadratic number field (assuming GRH), 


can be solved in quantum polynomial-time. 


Corollary 6.2. Any cryptographic scheme based on the above problems if any, say, 
e.g., the Buchmann- Williams key-exchange protocol in real quadratic number fields 
[7], can be broken in quantum polynomial-time. 


Fast quantum algorithms for computing unit group, class group and class number 
of more general number fields and function fields are also known, interested readers 
are suggested to consult, say, e.g., [14, 15, 24]. 
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Problems for Section 6.1 


1. Design a continued fraction algorithm for solving Pell’s equation x” —dy” = +c, 
where d is a square-free positive integer and c < Vd a positive integer, and give 
a complete complexity analysis of the algorithm. Develop a quantum version, if 
possible, of the classical continued fraction method discussed in the section for 
solving Pell’s equation. 

2. Apply Grover’s quantum search algorithm to integer factoring by fast searching 
all possible prime factors of n. Check or verify if this search algorithm for 
factoring can be done in polynomial-time. 

3. In [39], Shanks proposed an exponential-time complexity, O(n!/>+*), algorithm 
based on class group for integer factorization. Design, if possible, an exponen- 
tially speedup quantum version of Shanks’ class group factoring algorithm. 

4. Whether or not there is a polynomial-time classical algorithm for factoring is 
open. Prove of disprove that integer factorization cannot be done in polynomial- 
time classically. There are problems which are harder than factoring such as 
finding the unit group of an arbitrary degree number field for which no efficient 
quantum algorithm has been found yet. Extend, if possible, Hallgren’s quantum 
algorithm [24] for computing the unit group and class group of constant degree 
number fields to that of arbitrary degree number fields. 


6.2 Verifying Number-Theoretic Conjectures 


Verifying unproved conjectures is important task in number theory [45], as number 
theory bounds in many conjectures opened for many years. In this section we study 
some important conjectures for which quantum computing may have a play, since 
if these conjectures are wrong, then quantum computing may be able to find a 
counterexample quickly than classical computing. 


6.2.1 Verifying Riemann’s Hypothesis 


Recall that the Riemann ¢-function is defined by 


foe) 


G(s) = 


1 
ns” 
n=1 


where 
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s=ort+it, 
{o,f} € R, 
i= ~/-l. 


Note that o is the real part of s, denoted by Re(s), whereas it is the imaginary part 
of s, and denoted by Im(s). The Riemann hypothesis states that all the nontrivial 
(complex) zeros p of the ¢ function lying in the critical strip 0 < Re(s) < 1 must lie 
on the critical line Re(s) = 1/2, that is, o = 1/2 + it, where p denotes a nontrivial 
zero of €(s). Riemann himself calculated the first five nontrivial zeros of ¢(s) and 
found that they all lie on the critical line, he then conjectured that all the nontrivial 
zeros of €(s) are on the critical line. Riemann’s conjecture may be true and also may 
be false, unless one can prove it is true or one can find a counter-example to show 
it is false. Up to date, more than 1074 complex zeroes of the ¢-function have been 
calculated; all of them are indeed lying on the vertical line of o = 1/2. We know 
that there are infinitely many complex zeroes in the critical stripe 0 < o < 1, but 
we do not know if these infinitely many complex zeroes are all lying on the critical 
line o = 1/2. If we can find one of the complex zeroes is in the critical stripe 0 < 
o < 1, but not on the critical line o = 1/2, then Riemann’s hypothesis is showing 
to be false. Given the exponentially parallelism, quantum computers seems to be 
very suitable for verifying number-theoretic conjectures by counter-examples. So, 
developing an efficient quantum algorithm for calculating the nontrivial zeroes of 
f(s) is an interesting research topic in quantum computational number theory [47]. 

Of course, to verify Riemann’s hypothesis, we may not need to calculate the 
zeroes of the ¢(s) function, rather, we could calculate the values for the prime 
counting function z(x), since if Riemann’s hypothesis is true, then there is a 
refinement of the Prime Number Theorem 


(x) = [are ene 


to the effect that 


n(x) = [< ioe tO (Vx log x) . 


That is, 


Riemann’s hypothesis is true 


| 


a(x) = [z ioe + © (./x log x) . 
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Latorre and Sierra (see [31, 32]) developed some quantum algorithms for 
computing a(x) and (x), as well as primality testing, in order to verify the 
Riemann hypothesis and the twin prime number conjecture. 


Theorem 6.7. There are efficient quantum algorithms for verifying or determine 


1. the Riemann hypothesis, 
2. the Twin prime number conjecture, 
3. the Skewes number. 


For example, if we can find a counter-example of Riemann’s hypothesis (i.e., a 
complex zero that is not lying on the vertical line of o = 1/2), then Riemann’s 
hypothesis is showing to be false. In this section, we discuss some potential 
conjectures that might be verified by quantum computers. 

Of course we do not know if the Riemann hypothesis is true. Whether or not 
the Riemann hypothesis is true is one of the most important open problems in 
mathematics, and in fact it is one of the seven Millennium Prize Problems proposed 
by the Clay Mathematics Institute in Boston in 2000, each with one million US 
dollars (see [8, 9]). 


6.2.2 Verifying BSD Conjecture 


Now we move on to the introduce to the Birch and Swinnerton-Dyer (BSD) 
conjecture. The problem of determining the group of rational points on an elliptic 
curve E : y? = x° + ax + b over Q, denoted by E(Q), is one of the oldest 
and most intractable problems in mathematics, and it remains unsolved to this 
day, although vast numerical evidences exist. In 1922, Mordell showed that E(Q) 
is a finitely generated (Abelian) group. That is, E(Q) ~ E(Q)tos ®@ Z', where 
r > 0, E(Q)tors is a finite Abelian group (called torsion group). The integer r is 
called the rank of the elliptic curve E over Q, denoted by rank(E(Q)). Is there 
an algorithm to compute E(Q) given an arbitrary elliptic curve E? The answer is 
not known, although E(Q)tors can be found easily, due to a theorem of Mazur in 
1978: #(E(Q)tors) < 16. The famous Birch and Swinnerton-Dyer conjecture (or 
BSD conjecture, in short), asserts that the size of the group of rational points on E 
over Q, denoted by #(E(Q)), is related to the behavior of an associated zeta function 
f(s), called the Hasse-Weil L-function L(E, s), near the point s = 1. That is, if we 
define the incomplete L-function L(E, s) (we called it incomplete because we omit 
the set of “bad” primes p | 2A) as follows: 


L(E, S) — I] ( = ayn 4g sy1 
pt2A 


where A = —16(4a* + 27b*) is the discriminant of E, N, := 
#{rational solutions of y = x° + ax + b (mod p)} with p prime and a, = p — Ny. 
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This L-function converges for Re(s) > 3, and can be analytically continued to an 
entire function [5]. It was conjectured by Birch and Swinnerton-Dyer in the 1960’s 
that the rank of the Abelian group of points over a number field of an elliptic curve 
E is related to the order of the zero of the associated L-function L(E, s) at s = 1: 


BSD Conjecture (Version 1): ord;—\L(E, s) = rank(E(Q)). 


This amazing conjecture asserts particularly that L(E, 1) = 0 <=> E(Q) is infinite. 
Conversely, if L(E, 1) 4 0, then the set E(Q) is finite. An alternative version of 
BSD, in term of Taylor expansion of L(E, s) at s = 1, is as follows: 


BSD Conjecture (Version 2): L(E, s) ~ c(s — 1)’, where c # 0 and r = rank(E(Q)). 


There is also a refined version of BSD for the complete L-function L* (E, s): 


L*(E, S) = I] ad _ ap) . I] ad as app * ep oh 


p\2A pt2& 


In this case, we have: 


BSD Conjecture (Version 3): L* (E,s) ~ c*(s — 1)", with 


c* = |MelRoowoo | | wp/|E(Qrorsl”. 
pid 


where |III,| is the order of the Tate-Shafarevich group of elliptic curve E, the term Roo is 
an r X r determinant whose matrix entries are given by a height pairing applied to a system 
of generators of E(Q)/E(Q)tors, the w, are elementary local factors and Woo is a simple 
multiple of the real period of E. 


The eminent American mathematician, John Tate commented BSD in 1974 that “--- 
this remarkable conjecture relates the behaviour of a function L at a point where it 
is at present not known to be defined to the order of a group II which is not known 
to be finite.’ So it hoped that a proof of the conjecture would yield a proof of the 
finiteness of III;. Using the idea of Kurt Heegner (1893-1965), Birch and his former 
PhD student Stephens established, in the first time, the existence of rational points 
of infinite order on certain elliptic curves over Q, without actually writing down the 
coordinates of these points and naively verifying that they satisfy the equation of the 
curves. These points are now called Heegner points on elliptic curves (a Heegner 
point is a point on modular elliptic curves that is the image of a quadratic imaginary 
point of the upper half-plane). Based on Birch and Stephens’ work, particular 
based on their massive computation of the Heegner points on modular elliptic 
curves, Gross at Harvard obtained a deep result in 1986 [17], jointly with Zagier 
at Maryland/Bonn, now called the Gross-Zagier theorem [17], which describes the 
height of Heegner points in terms of a derivative of the L-function of the elliptic 
curve at the point s = 1. That is, if L(Z, 1) = 0, then there is a closed formula to 
relate L’(E, 1) and the height of the Heegner points on E. More generally, together 
with Kohnen, Gross and Zagier showed in 1987 [18] that Heegner points could be 
used to construct rational points on the curve for each positive integer n, and the 
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heights of these points were the coefficients of a modular form of weight 3/2. Later, 
in 1989, the Russian mathematician Kolyvagin [29] further used Heegner points to 
construct Euler systems, and used this to prove much of the Birch-Swinnerton-Dyer 
conjecture for rank | elliptic curves. More specifically, he showed that if the Heegner 
points is of infinite order, then rank(Z(Q)) = 1. Other notable results in BSD also 
include S.W. Zhang’s generalization of Gross-Zagier theorem for elliptic curves to 
Abelian varieties, and M.L. Brown’s proof of BSD for most rank 1 elliptic curves 
over global fields of positive characteristic [6]. Of course, all these resolutions 
are far away from the complete settlement of BSD. Just the same as Riemann’s 
hypothesis, the BSD conjecture is also chosen to be one of the seven Millennium 
Prize Problems [51]. Despite some progress, it basically does not know how to prove 
the Riemann hypothesis, the Goldbach conjecture and the BSD conjecture. So, it is 
a good chance for quantum computing to have a play in this research field, as it 
may well be possible to find a counter-example in one of the three open conjectures, 
giving the parallel computing power of quantum computers. 


Problems for Section 6.2 


1. Design a polynomial or exponential time quantum algorithm to calculate the 
values of w(x) and 72(x). 

2. Design a polynomial or exponential time quantum algorithm for calculating the 
zeroes of €(s). 

3. Develop a polynomial or exponential time quantum algorithm for computing the 
elliptic curve L function L(E, s). 

4. Design a polynomial or exponential time quantum algorithm for verifying 
Riemann’s hypothesis. 

5. Design a polynomial or exponential time quantum algorithm for verifying 
Goldbach’s conjecture. 

6. Design a polynomial or exponential time quantum algorithm for verifying the 
Birch and Swinnerton-Dyer conjecture. 


6.3 More Quantum Algorithms 


Up to date, all know quantum algorithms offering substantial (particularly exponen- 
tial, i.e., superpolynomial!) speedup over classical algorithms for the same problems 
fall into one of the following categories (see [26, 43, 50]). 


1. Use the quantum Fourier transform to find the periodicity of the problems, these 
include: 


'A typical superpolynomial complexity is O((logn)!°8!2!"2"), as n —> 00, where logn is the 
input length. Note that superpolynomial is exponential not polynomial. Thus, e.g., O(log n)!") is 
polynomial, whereas O(n°') is exponential. 
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(1) The Deutsch—Jozsa algorithm for a black-box function decision problem 
(see [10, 13]). It is one of the first examples of a quantum algorithm that is 
exponentially faster than any possible deterministic classical algorithm, but 
not for classical random algorithm, since this problem is easy to be solved 
by a classical random algorithm in polynomial-time ?P. 

(2) Simon’s quantum algorithm for a black-box function distinguishing prob- 
lem [44]. It was the motivation for Shor’s factoring algorithm. 

(3) Shor’s quantum algorithms for integer factorization and discrete logarithms 
(see [41, 42]). These algorithms have a great impact on the development of 
quantum algorithms. 

(4) Hallgren’s quantum algorithms for Pell’s equations, principal ideal problem, 
and other algebraic number-theoretic problems such as unit group, class 
group and class number (see [14, 23—25]). 

(5) The quantum phase estimation algorithm for estimating the eigenphase of an 
eigenvector of a unitary gate, given access to a quantum state proportional 
to the eigenvector and a procedure to implement the unitary conditionally. 
It is a quantum algorithm that finds many applications as a subroutine in 
other algorithms [28], including Shor’s algorithms for integer factorization 
and discrete logarithms [41]. 

(6) Algorithm for solving the hidden subgroup problem [33]. The abelian 
hidden subgroup problem is a generalization of many problems that can be 
solved by a quantum computer, such as Simon’s problem, solving Pell’s 
equation, testing the principal ideal of a ring, integer factorization and 
discrete logarithms. 

(7) Algorithm for solving the Boson sampling problem (see [34, 38]). This 
problem is to produce a fair sample of the probability distribution of the 
output which is dependent on the input arrangement of bosons and the 
unitarity. Traditionally, solving this problem with a classical algorithm 
requires computing the permanent of the unitary transform matrix, which 
may be either impossible or take too long time. 

(8) Algorithm for estimating Gauss sums [48]. The best known classical algo- 
rithm for estimating Gauss sums runs in exponential-time. It is interesting to 
note that the discrete logarithm problem reduces to Gauss sum estimation, 
so an efficient classical algorithm for estimating Gauss sums would imply an 
efficient classical algorithm for computing discrete logarithms. At present, 
both problems cannot be solved in polynomial-time by classical algorithms, 
however, they all can be solved efficiently in polynomial-time by quantum 
algorithms (see [41, 48]). 


2. Use quantum walk algorithm to solve: 


(1) The element distinctness problem (determining whether all the elements of 
a list are distinct) [2]. 

(2) The triangle-finding problem (determining whether a graph is triangle-free 
or not) [36]. 
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(3) Formula evaluation (evaluating, e.g., the Boolean formulas and solving the 
systems of linear equations) [3]. 

(4) Group commutativity (determining if a black-box group, given by k genera- 
tors, is commutative) [35, 37]. 


A quantum walk is the quantum analogue of a classical random walk, which 
can be described by a probability distribution over some states. A quantum 
walk can be described by a quantum superposition over states. Quantum walks 
are known to give exponential speedup for some black-box problems. They also 
provide polynomial speedup for some other problems. 

3. Use quantum mechanical idea to perform exhaustive search of n items in ./n 
time, these include Grover’s quantum mechanical search algorithm and its 
generalizations (see [19—21, 23]). These type of quantum algorithms are based 
on amplitude amplification, they usually do not offer exponential speedups over, 
but still significantly faster than classical search algorithms. 

4. Use quantum mechanical idea to solve quantum physics problems, say, e.g., 
using quantum computers to speed up the simulations of quantum physics [16]. 
This part of the work is usually done by physicists. Note that this problem 
belongs to BQP-Complete problem. Similar problems include e.g., computing 
knot invariants: the Chern-Simons Topological Quantum Field Theory (TQFT) 
can be solved in terms of Jones polynomials. A quantum computer can simulate 
a TQFT, and thereby approximate the Jones polynomial [1], which is hard to 
compute classically. 


Surprisingly enough, there are not many quantum algorithms been found par- 
ticularly since Shor’s discovered his marvelous quantum algorithms for integer 
factorization and discrete logarithms, leading naturally to the question that there 
might be indeed not many quantum algorithms that have the ability of the 
exponential speedups over classical algorithms (see [43, 49]). But we are not sure 
about this. We are even not sure exactly what quantum computer can do and what 
quantum computer cannot do, as quantum computers may beyond the limit of Turing 
machines, but of course, they may also not. 

More research needs to be done before we can say something useful for the 
computability, complexity, and applicability of quantum computers. 

The struggle continues! 


6.4 Chapter Notes and Further Reading 


Although quantum algorithms for IFP, DLP and ECDLP are the main stream of 
research in quantum computing in general and quantum computational number 
theory in particular, there are some other types of quantum algorithms for various 
problems in number theory, algebra, topology, searching and physics. Generally 
speaking, there are not many quantum algorithms being found since Shor discovered 
in 1994 his quantum algorithms for IFP and DLP. In this chapter, we discussed 
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quantum algorithms for solving problems in algebraic number theory and for 
verifying number-theoretic conjectures. We also give a perspective of quantum 
algorithms for many other problems. Apparently, more research needs to be done 
before we understand the power and the applications of quantum algorithms, and 
also before the construction of the practical quantum computers. 

In the references below, we listed over 50 bibliographic items on various 
quantum algorithms, most of them represent new ideas and new developments in the 
fields, interested readers are suggested to consult the references and the references 
therein for more information about quantum computing in general and quantum 
computational number theory in particular. 
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